[c-nsp] IP unnumbered question. Are isp's using this alot?

Ted Mittelstaedt tedm at toybox.placo.com
Sat Jun 25 18:45:09 EDT 2005 

Yes it is, and bitching about it repeatedly doesen't change that.
The only time it isn't is if your a transit ISP and if you are,
then you should have enough IP addresses that this shouldn't be
an issue.  But for end-node AS's, and their customers, it IS fine
since if they are using RFC1918, then they can't use those router
interfaces to talk with anyone on the Internet, so those routers will
normally not be sourcing traffic.

Now, you do have a valid point that in some situations a remote
attacker might be able to make those routers emit a RFC1918-sourced
packet, but that is easily taken care of by an egress filter.  And,
frankly, any end-node network out there in this day and age absoutely
needs to be running anti-spoof ingress and egress filters.  (not to
mention that if their feeds were doing their job, then they would
never have a need for ingress spoof filters, since they shouldn't
be sent traffic that isn't destination to their network in the
first place)

The biggest emitters of RFC1918-sourced packets on a network are
compromised hosts, not routers.  Before getting all up in arms
about RFC1918-sourced traffic from routers, get up in arms about
the number of networks out there
who don't filter anything whatsoever that they source.

Now as for the rest of it, 

As for MTU path discovery, that is not a major factor anymore
because so many sites already out there improperly filter ICMP
that it is now risky to source traffic from any kind of network
that uses an MTU smaller than 1500 bytes, (or any network
that connects to the Internet with a link that has an MTU smaller
than 1500 bytes) so people are pretty much
prevented from using MTU smaller than that nowadays, even if they
know what they are doing.  As a result you can break MTU path
discovery now with impunity if you simply make sure that all your
networks use MTU of 1500 bytes or larger.  I'm not saying that this
is at all optimal or is not a perversion of the intent of mtu
path discovery, but it is very much like when the banks started
charging ATM withdrawl fees - once one bank started doing it, there
was little point for the rest of them to hold back.

And as for traceroute - playing devils advocate, why do you need to
know the structure of my internal network?  The only reason is that
if I've fucked it up, so that you or one of your customers is having
problems getting to me or one of my customers, then you can see what
I've done to break it.  And why should I give you ammo to hand to
your customer?  If you or your customer is having trouble getting
at something in my network, your welcome to call me on the telephone
and tell me there's a problem.  You don't have to diagnose that
problem for me.

The fact of the matter is that all RFC1918 numbers on my serial links
do is to force you to treat my network as a black box, it takes away
transparency of my network from you.  That forces you to go through me
when there's a problem on my network.  You probably don't prefer to do
that rather than just examining my network from a computer, but it is
my network and I'm paying for it, and I can do whatever I want with it.
As long as I'm not pissing off my feeds by transmitting RFC1918-sourced
traffic, or transmitting traffic with spoofed IP numbers, or sending
out viruses, or performing cracks, then I can do what the hell I want
and piss on you and your traceroute command.

And I will remind you that this is devils advocate as I don't use 
RFC1918 on my network.  (I almost certainly do have a few virus-infested
hosts on it, though)

Ted

>-----Original Message-----
>From: Gert Doering [mailto:gert at greenie.muc.de]
>Sent: Friday, June 24, 2005 2:20 PM
>To: Ted Mittelstaedt
>Cc: Joseph Jackson; cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] IP unnumbered question. Are isp's using this alot?
>
>
>Hi,
>
>On Wed, Jun 22, 2005 at 10:23:48PM -0700, Ted Mittelstaedt wrote:
>> [..] it is perfectly fine to use private numbers.  
>
>No, it's not, and it doesn't get any more true if repeated a couple
>of times.
>
>Using private IPs for transit links makes the routers (at least 
>all products 
>in widespread use today) generate packets with RFC1918 source IPs, and
>this is a violation of RFC1918 - "do not send packets source from these
>IPs out into the wild".
>
>This breaks path MTU discovery, traceroute, and other useful ICMP
>features.  If you *want* to break that, then say so, but don't abuse
>RFC1918 space for it.
>
>gert
>-- 
>Gert Doering
>Mobile communications ... right now writing from * Isola dei Gabbiani *
>

More information about the cisco-nsp mailing list