>It's not as simple as this....imagine the following network:
>
>server <- net a -> router a <- net b -> router b <-> internet <-> your host
>
>Let's say router B and router B are managed by people with too little
>routable IP space, so they used a 192.168.x.x address. After all that is an
>internal net for them and the have only seen a problem when trying to use
>traceroute to hosts on the internet.
>
>Now say router A needs to fragment a packet, or send a host unreachable for
>server back to your host. Guess what source address gets used? The
>192.168.x.x address.
Yup. Here's the traceroute from my home machine, on a microwave link:
Tracing route to wwwwseast.usec.sun.com [192.9.49.30]
over a maximum of 30 hops:
1 20 ms 20 ms 48 ms 192.168.200.1
2 19 ms 20 ms 20 ms sbr.core.rtr.wavepath.net [205.158.140.65]
3 23 ms 23 ms 23 ms pop.access.rtr.wavepath.net [205.158.140.253]
4 24 ms 23 ms 24 ms pop.border.rtr.wavepath.net [205.158.140.1]
5 27 ms 27 ms 27 ms lmi.rtr.wavepath.net [205.158.140.194]
6 31 ms 32 ms 31 ms 192.168.5.2
7 96 ms 112 ms 76 ms incaroads.lanminds.com [140.174.208.210]
8 39 ms 38 ms 36 ms core1-serial3-3.san-francisco.best.net
[140.174.87.33]
9 42 ms 73 ms 42 ms h8-0-0.br1.mtvwca.pacific.verio.net
[206.86.228.89]
10 38 ms 39 ms 37 ms p9-0-0.cr1.mtvwca.pacific.verio.net
[209.157.62.201]
11 43 ms 40 ms 50 ms p12-0-0.br1.plalca.pacific.verio.net
[209.157.181.162]
12 57 ms 52 ms 48 ms g0.pao5.verio.net [129.250.15.14]
13 74 ms 55 ms 43 ms core10-hssi6-0-0.SanFrancisco.cw.net
[204.70.10.185]
14 61 ms 49 ms 42 ms corerouter2.SanFrancisco.cw.net [204.70.9.132]
15 138 ms 166 ms 124 ms xcore3.Boston.cw.net [204.70.150.81]
16 125 ms 128 ms 125 ms sun-micro-system.Boston.cw.net [204.70.179.102]
17 129 ms 135 ms 137 ms wwwweast.usec.Sun.COM [192.9.49.30]
You'll notice 192.168.x.x used in two separate places. The first hop is the far
side of the route from my PC, i.e. I'm not using 192.168.200.x on my Ethernet
side. That's not the first time I've seen ISPs doing that, either.
I consider this broken for an ISP. For exactly the same reason you point out..
What if one of the intermediate routers needs to send me an ICMP unreachable
of some sort? I'm perfectly within my rights to be useing 192.168.x.x all over
my private
network. I should be able to assume any packets from those addresses should be
from inside hosts, and block them with anti-spoofing measures accordingly.
Those
addresses shouldn't be "on the Internet." So, my take is that ISPs are "on the
Internet"
for all their space (minus admin networks, etc..) so they don't get to use
RFC1918
addresses. Sorry ISPs. Go get some real address space, that's what you're
there for.
(Sorry Cliff.. you hit a pet peeve... your bad luck :) )
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
