General question on rfc1918

2007-11-13 Thread Drew Weaver 

Hi there, I just had a real quick question. I hope this is found to be 
on topic.

Is it to be expected to see rfc1918 src'd packets coming from transit carriers?

We have filters in place on our edge (obviously) but should we be seeing 
traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit interfaces?

I guess I'm not sure why large carrier networks wouldn't simply filter this in 
their core?

Thanks,
-Drew

Re: General question on rfc1918

2007-11-13 Thread Joe Abley 



On 13-Nov-2007, at 10:08, Drew Weaver wrote:

   Hi there, I just had a real quick question. I hope this is  
found to be on topic.


Is it to be expected to see rfc1918 src'd packets coming from  
transit carriers?


You should not send packets with RFC1918 source or destination  
addresses to the Internet. Everybody should follow this advice. If  
everybody did follow that advice, you wouldn't see the packets you are  
seeing.


The cynical answer, however, based on observation of real-life  
networks, is yes because people are naturally messy creatures.


We have filters in place on our edge (obviously) but should we be  
seeing traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our  
transit interfaces?


I guess I'm not sure why large carrier networks wouldn't simply  
filter this in their core?


I can think of lots of things that large carrier networks (as well as  
smaller, non-carrier networks!) do that seem on the face of it to defy  
explanation, of which this is just one example :-)



Joe

RE: General question on rfc1918

2007-11-13 Thread Darden, Patrick S. 


They do.  What you are seeing are probably forged packets.  Nmap etc. all let 
you forge SIP, in fact they automate it.  One Nmap mode actually actively 
obfuscates network scans by doing random SIPs--e.g. 10,000 random SIPs and one 
real one--this makes it hard to figure out who is actually scanning your 
networks.

Of course, if you don't filter incoming traffic on your inner interfaces, then 
the traffic could be from your own network.  A lot of people filter  only on 
their external ints:

outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3]
incoming traffic limited to [public IP addresses]

Make sense?

--Patrick Darden
--Internetworking Manager
--ARMC


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Drew Weaver
Sent: Tuesday, November 13, 2007 10:09 AM
To: nanog@merit.edu
Subject: General question on rfc1918



Hi there, I just had a real quick question. I hope this is found to be 
on topic.

Is it to be expected to see rfc1918 src'd packets coming from transit carriers?

We have filters in place on our edge (obviously) but should we be seeing 
traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit interfaces?

I guess I'm not sure why large carrier networks wouldn't simply filter this in 
their core?

Thanks,
-Drew

Re: General question on rfc1918

2007-11-13 Thread Justin M. Streiner 


On Tue, 13 Nov 2007, Drew Weaver wrote:

Hi there, I just had a real quick question. I hope this is found to be 
on topic.


Is it to be expected to see rfc1918 src'd packets coming from transit 
carriers?


I would recommend grilling your carriers to find out  why they're not 
dropping packets sourced from or destined to 1918 addresses.


jms

Re: General question on rfc1918

2007-11-13 Thread Joe Greco 

 Hi there, I just had a real quick question. I hope this is found to 
 be on topic.
 
 Is it to be expected to see rfc1918 src'd packets coming from transit 
 carriers?
 
 We have filters in place on our edge (obviously) but should we be seeing 
 traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit 
 interfaces?
 
 I guess I'm not sure why large carrier networks wouldn't simply filter this 
 in their core?

[pick-a-random-BCP38-snipe ...]

It's a feature: You can tell which of your providers does BCP38 this way.

Heh.

It's the networking equivalent of all the bad sorts of DOS/Windows 
programming.  You know, the rule that says once it can run successfully,
it must be correct.  Never mind checking for exceptional conditions,
buffer overruns, etc.

It's the same class of problem where corporate IT departments, listening
to some idiot, filter all ICMP, and are convinced this is okay because 
they can reach ${one-web-site-of-your-choice}, and refuse to contemplate
that they might have broken something.

Once your network is routing packets and you aren't hearing complaints
about being unable to reach a destination, it's got to be configured
correctly ... right?

Consider it life on the Internet.  Do their job for them.

Around here, we've been doing BCP38 since before there was a BCP38.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: General question on rfc1918

2007-11-13 Thread Robert Bonomi 

 From [EMAIL PROTECTED]  Tue Nov 13 09:12:04 2007
 Cc: nanog@merit.edu nanog@merit.edu
 From: Joe Abley [EMAIL PROTECTED]
 To: Drew Weaver [EMAIL PROTECTED]
 Subject: Re: General question on rfc1918
 Date: Tue, 13 Nov 2007 10:10:26 -0500



 On 13-Nov-2007, at 10:08, Drew Weaver wrote:

 Hi there, I just had a real quick question. I hope this is  
  found to be on topic.
 
  Is it to be expected to see rfc1918 src'd packets coming from  
  transit carriers?

 You should not send packets with RFC1918 source or destination  
 addresses to the Internet. Everybody should follow this advice. If  
 everybody did follow that advice, you wouldn't see the packets you are  
 seeing.


Really?  What do you do if a 'network internal' device -- a legitimate
use of RFC1918 addresses -- discovers 'host/network unreachable' for an 
external-origin packet transitinng that device?   evil grin

Your comment _is_ generally correct, but there are some significant
'corner cases' that do complicate life.

Packets that could conceivably generate a reply/response and have an
RFC 1918 address (source -or- dest) should be ingress *and* egress
filtered -- unless there is specific agreement with the adjacent network
with regard to coordinated use of specific portions of that space.

Packets which are strictly error/status reporting -- e.g. IMP 'unreachable',
'ttl exceeded', 'redirect', etc. -- should *NOT* be filtered at network
boundaries  _solely_ because of an RFC1918 source address.

Re: General question on rfc1918

2007-11-13 Thread Joe Abley 



On 13-Nov-2007, at 10:35, Robert Bonomi wrote:


On 13-Nov-2007, at 10:08, Drew Weaver wrote:


  Hi there, I just had a real quick question. I hope this is
found to be on topic.

Is it to be expected to see rfc1918 src'd packets coming from
transit carriers?


You should not send packets with RFC1918 source or destination
addresses to the Internet. Everybody should follow this advice. If
everybody did follow that advice, you wouldn't see the packets you  
are

seeing.


Really?  What do you do if a 'network internal' device -- a legitimate
use of RFC1918 addresses -- discovers 'host/network unreachable' for  
an

external-origin packet transitinng that device?   evil grin


You drop the packet at your border before it is sent out to the  
Internet.


This is why numbering interfaces in the data path of non-internal  
traffic is a bad idea.


Packets which are strictly error/status reporting -- e.g. IMP  
'unreachable',
'ttl exceeded', 'redirect', etc. -- should *NOT* be filtered at  
network

boundaries  _solely_ because of an RFC1918 source address.


I respectfully disagree.


Joe

RE: General question on rfc1918

2007-11-13 Thread Drew Weaver 

On Tue, 13 Nov 2007, Drew Weaver wrote:

 Hi there, I just had a real quick question. I hope this is found to be
 on topic.

 Is it to be expected to see rfc1918 src'd packets coming from transit
 carriers?

I would recommend grilling your carriers to find out  why they're not
dropping packets sourced from or destined to 1918 addresses.

Jms


That is kind of the general theme I've been hearing back from most nanog'ers 
yet I have a feeling they're going to have no idea what I'm talking about.

-Drew

Re: General question on rfc1918

2007-11-13 Thread Sean Donelan 


On Tue, 13 Nov 2007, Drew Weaver wrote:

Is it to be expected to see rfc1918 src'd packets coming from transit carriers?


Yes.  Any ISP which uses RFC1918 on internal links may generate 
various ICMP error packets (e.g. traceroute/TTL expire, PMTU 
discovery/Fragmentation required, etc) from router interfaces which have

RFC1918 addresses for transit traffic.

Some people filter them anyway, and get *'s in traceroutes and PMTU 
weirdness.


#include old debate about using RFC1918 addresses on transit links
#include other old debate about filtering stuff in backbones or edge

Re: General question on rfc1918

2007-11-13 Thread Phil Regnauld 

Joe Abley (jabley) writes:
 
  You drop the packet at your border before it is sent out to the Internet.
 
  This is why numbering interfaces in the data path of non-internal traffic is 
  a bad idea.

Unfortunately many providers have the bad habit of using RFC1918
for interconnect, on the basis that a) it saves IPs b) it makes
the interconnect not vulnerable [1].

  Packets which are strictly error/status reporting -- e.g. IMP 
  'unreachable',
  'ttl exceeded', 'redirect', etc. -- should *NOT* be filtered at network
  boundaries  _solely_ because of an RFC1918 source address.
 
  I respectfully disagree.

Same here, and even if egress filtering didn't catch it, many inbound
filters will.

[1] I'v also heard of ISPs having an entire /16 of routable addresses
for their interconnect, but they just don't advertise to peers.