Discussion in 'Linux Networking' started by bob, Oct 17, 2012.

  1. bob

    Jorgen Grahn Guest

    You say you can see e.g. in traceroute output. That means
    you have actually received an ICMP time exceeded (or whatever it's
    called) message from that host. Surely then it's not just "inside their

    I may have a host in my local network already. I cannot
    think right now of any bad effects of getting ICMP from a doppelganger
    (except for confusion in the logs) but I'd prefer for it never to

    Jorgen Grahn, Oct 20, 2012
    1. Advertisements

  2. bob

    orcus Guest

    In RFC traffic blocking is only recommendation. ISPs are blocking almost
    all traffic with private sources or destinations, but:

    If the TTL is reduced to zero (or less), the packet MUST be
    discarded, and if the destination is not a multicast address the
    router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded
    in Transit) message to the source.

    MUST in RFC is not a recommendation like SHOULD(I think there is RFC
    about this words meaning).
    That ICMP packet will contain IP header and some part of payload of
    discarded packet. Any software that is logging network flows should
    be able to match it with correct stream. If you use "flat" network
    packets logging(one packet - one entry) you should see which packet
    was discarded. For example: linux iptables LOG target dumps discarded
    IP header in square brackets.
    orcus, Oct 20, 2012
    1. Advertisements

  3. bob

    Moe Trin Guest


    IP addresses are valuable commodities - as of Monday, 93.66 percent of
    the non-RFC5735 IPv4 addresses have been assigned or allocated. Why
    should an ISP waste them on hosts that normal users (never mind those
    out on the Big Bad Internet) won't be accessing? See the "Category 1:"
    definition on the bottom of page 2 of RFC1918.

    Why? What gives you ANY reason to expect that "backbone.com" is going
    to allow you to connect to their router? It's not a web server, and
    it's offering NO services to Internet users other than forwarding or
    routing packets.

    Second paragraph on page 5 of RFC1918:

    Because private addresses have no global meaning, routing information
    about private networks shall not be propagated on inter-enterprise
    links, and packets with private source or destination addresses
    should not be forwarded across such links.

    HOWEVER - note that RFC1918 is a "Best Current Practice" (see RFC1818
    which is historic, but explains that a BCP is not, and should not be
    considered "a standard"). Against this, you have RFC1812
    (Requirements for IP Version 4 Routers) section which says:

    Except where this document specifies otherwise, the IP source address
    in an ICMP message originated by the router MUST be one of the IP
    addresses associated with the physical interface over which the ICMP
    message is transmitted.

    and RFC1812 _is_ a standard.
    True - but an ICMP error message is "one way" - you don't reply to it
    (RFC0792, fourth paragraph of "Introduction" on bottom of page 1), so
    a little common sense would be helpful. Read the second paragraph of
    section 7 of RFC5735.
    See RFC2827 (and RFC3704). Your router or firewall should not be
    forwarding packets from the "outside" that have a source address of
    the LAN on the "inside". To avoid confusion, you may wish to filter
    all of the addresses listed in RFC5735 (and RFC5156 if you are using
    IPv6) as recommended by the first paragraph of of section 7 of RFC5735.

    Old guy
    Moe Trin, Oct 20, 2012
  4. bob

    Moe Trin Guest

    [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
    Requirement Levels", BCP 14, RFC 2119, March 1997.

    Old guy
    Moe Trin, Oct 20, 2012
  5. bob

    unruh Guest

    Yes, there is since many routers/switches whatever on the internet are
    sesigned to throw away any packets addressed to those private addresses,
    since there is no way that they can be routed outside the private
    network itself. There are many many machines in th eworld with address
    say Which one should be chosen?
    unruh, Oct 21, 2012
  6. bob

    orcus Guest

    If some decided not to eat apples then we should call all apples

    In my network I have 10 networks 10.[0-10].0.0/16 and a router
    connecting them. Am I able to set up routing for these subnets?
    That range is clearly "routable".
    orcus, Oct 21, 2012
  7. Well, RFC1918 says:

    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private internets: - (10/8 prefix) - (172.16/12 prefix) - (192.168/16 prefix)
    So you are free to setup whatever routing you want inbetween your private
    subnet(s). But every connection from one of your subnets to the "non-
    private" internet has to use NAT (like connections from the 192.168.x.x
    Markus Koßmann, Oct 21, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.