[nsp] 192.168.x.y from upstream

Rivo Tahina RAZAFINDRATSIFA r.tahina at dts.mg
Mon Mar 10 17:20:52 EST 2003

Thank you!
A 13:02 10/03/03 +0000, vous avez écrit :
>On Mon, 10 Mar 2003, Gert Doering wrote:
>> On Mon, Mar 10, 2003 at 02:42:01PM +0300, Rivo Tahina RAZAFINDRATSIFA
>> > Why do I receive something from private IP address such as 192.168.
from my
>> > upstream?
>> Because many ISPs are lazy and do not properly filter packets before
>> the packets leave their networks.
>Indeed, altho at one time this setup was encouraged when we thought IP
space was 
>But do NOT ever filter this on your core network or you will break things
>the RFC1918 sourced packets may be carrying - most significantly pMTU
>with ICMP. 
>The most prominent site I was aware of using RFC1918 internally that
breaks if 
>you filter RFC1918 ingress and then use <1500 MTU was bt.com (amongst
>The problem being a lot of companies use private addresses behind
firewalls and 
>do not include them in dynamic NAT configs etc falsely assuming these
>will never send packets to the Internet.
>> Proper network management consist of (relating to RFC1918 only):
>>  - don't use RFC 1918 addresses for the ISP backbone networks
>>    (because traceroute and other ICMP responses might end up being
>>    sent with those addresses, which violates RFC 1918)
>Absolutely, this is a violation of RFC1918..
>>  - filter your customer access lines so that customers can only generate
>>    packets with source IPs that belong to them ("anti-spoofing"), see
>>    also RFC 2827 "Network Ingress Filtering".
>Good anti-DDoS measure this..
>> gert
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list