[nsp] 192.168.x.y from upstream

Stephen J. Wilcox steve at telecomplete.co.uk
Mon Mar 10 13:02:54 EST 2003


On Mon, 10 Mar 2003, Gert Doering wrote:

> On Mon, Mar 10, 2003 at 02:42:01PM +0300, Rivo Tahina RAZAFINDRATSIFA wrote:
> > Why do I receive something from private IP address such as 192.168. from my
> > upstream?
> 
> Because many ISPs are lazy and do not properly filter packets before
> the packets leave their networks.

Indeed, altho at one time this setup was encouraged when we thought IP space was 
scarce! 

But do NOT ever filter this on your core network or you will break things that 
the RFC1918 sourced packets may be carrying - most significantly pMTU conveyed 
with ICMP. 

The most prominent site I was aware of using RFC1918 internally that breaks if 
you filter RFC1918 ingress and then use <1500 MTU was bt.com (amongst others). 
The problem being a lot of companies use private addresses behind firewalls and 
do not include them in dynamic NAT configs etc falsely assuming these systems 
will never send packets to the Internet.

> Proper network management consist of (relating to RFC1918 only):
> 
>  - don't use RFC 1918 addresses for the ISP backbone networks
>    (because traceroute and other ICMP responses might end up being
>    sent with those addresses, which violates RFC 1918)

Absolutely, this is a violation of RFC1918..
 
>  - filter your customer access lines so that customers can only generate
>    packets with source IPs that belong to them ("anti-spoofing"), see
>    also RFC 2827 "Network Ingress Filtering".

Good anti-DDoS measure this..

Steve

> 
> gert
> 



More information about the cisco-nsp mailing list