Can a prefix be never routed on Internet but used only for source address in IP packets?
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets? That is. a user owns an IP prefix. They never advertise a route to it in BGP on the Internet. But they use the prefix solely for source address in IP traffic from a source to a destination (sink). In this set up, the destination server obviously cannot/doesn't return any acknowledgements etc. to the source. Anyone aware if there is any such known application in use on the Internet - even if it is rare? Thanks. Sriram
Wouldn't the US DOD be an example of this? They have a /8 so surely there are plenty of /24 not routed. On Tue, Aug 19, 2025 at 12:34 PM Sriram, Kotikalapudi (Fed) via NANOG < nanog@lists.nanog.org> wrote:
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets?
That is. a user owns an IP prefix. They never advertise a route to it in BGP on the Internet. But they use the prefix solely for source address in IP traffic from a source to a destination (sink). In this set up, the destination server obviously cannot/doesn't return any acknowledgements etc. to the source. Anyone aware if there is any such known application in use on the Internet - even if it is rare? Thanks.
Sriram _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MSEGDFSZ...
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-) Of course you may be talking about doing it _intentionally_. I don’t know of a reason to do it, but sure, it can be done. It’ll get dropped by anybody running uRPF. -Bill
On Aug 19, 2025, at 18:35, Sriram, Kotikalapudi (Fed) via NANOG <nanog@lists.nanog.org> wrote:
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets?
That is. a user owns an IP prefix. They never advertise a route to it in BGP on the Internet. But they use the prefix solely for source address in IP traffic from a source to a destination (sink). In this set up, the destination server obviously cannot/doesn't return any acknowledgements etc. to the source. Anyone aware if there is any such known application in use on the Internet - even if it is rare? Thanks.
Sriram _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MSEGDFSZ...
Thus spake Sriram, Kotikalapudi (Fed) via NANOG (nanog@lists.nanog.org) on Tue, Aug 19, 2025 at 04:34:18PM +0000:
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets?
That is. a user owns an IP prefix. They never advertise a route to it in BGP on the Internet. But they use the prefix solely for source address in IP traffic from a source to a destination (sink). In this set up, the destination server obviously cannot/doesn't return any acknowledgements etc. to the source. Anyone aware if there is any such known application in use on the Internet - even if it is rare? Thanks.
We see this for example in a generalized pattern like instrument -> DAQ system -> UDP firehose -> FPGAs -> compute, which is a completely unidirectional application workflow. Dale
On 2025-08-19 17:34, Sriram, Kotikalapudi (Fed) via NANOG wrote:
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets?
You can have a prefix used for router interfaces, but not advertised to the internet and still have them appear in traceroutes (send icmp unreach ttl expired) using their interface IPs. One of my upstreams was doing this for a long time, but they currently appear to now be advertising the prefix in question - I suspect to avoid people filtering the icmps from it. Some other udp protocols including DNS in some contexts like some resolver libraries doesn't actually care what IP a reply comes from.. so it might send a request to one IP on a multihomed server and receive the answer from a different IP (which could be unadvertised). I doubt there are many intentional use cases for this, but there might be some stuff limping along working that way because it works. Generally I don't think people should be filtering this stuff - if someone was doing something malicious - they could presumably just spoof it from an advertised IP, but I also wouldn't be surprised if it's on many best practice tickbox lists by now.. and I'm guessing you're looking at adding it to another one. -Rob
We see this for example in a generalized pattern like instrument -> DAQ system -> UDP firehose -> FPGAs -> compute, which is a completely unidirectional application workflow.
Is the prefix used in source address of the traffic unadvertised/unrouted on the Internet? Is there any kind of check to see if the far side (FPGAs, compute) is available/ready to receive the data? Any thought given to what if the next hop AS (say, upstream to the DAQ system) is doing source address validation using uRPF? Thanks, Dale. Sriram -----Original Message----- From: Dale W. Carder <dwcarder@es.net> Sent: Tuesday, August 19, 2025 1:24 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> Subject: [EXTERNAL] Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Thus spake Sriram, Kotikalapudi (Fed) via NANOG (nanog@lists.nanog.org) on Tue, Aug 19, 2025 at 04:34:18PM +0000:
Question: Can a prefix be never routed on the Internet but used only one-way for source address in IP packets?
That is. a user owns an IP prefix. They never advertise a route to it in BGP on the Internet. But they use the prefix solely for source address in IP traffic from a source to a destination (sink). In this set up, the destination server obviously cannot/doesn't return any acknowledgements etc. to the source. Anyone aware if there is any such known application in use on the Internet - even if it is rare? Thanks.
We see this for example in a generalized pattern like instrument -> DAQ system -> UDP firehose -> FPGAs -> compute, which is a completely unidirectional application workflow. Dale
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable. So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network. This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
There are other reasons to do it intentionally. You can use 10/8 to exfiltrate data. So you could have a receiving system that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station. Jonathan Kalbfeld office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662 ThoughtWave Technologies, Inc. Studio City, CA 91604 https://thoughtwave.com View our network at https://bgp.he.net/AS54380 +1 844 42-LINUX
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.
So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.
This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HEOW6YA7...
On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <nanog@lists.nanog.org> wrote:
There are other reasons to do it intentionally.
Yup, there are other intentional places where you can emit packets which are not announced. For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address." W You can use 10/8 to exfiltrate data. So you could have a receiving system
that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station.
Jonathan Kalbfeld
office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662
ThoughtWave Technologies, Inc. Studio City, CA 91604
View our network at
+1 844 42-LINUX
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.
So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.
This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/
Off-list: Does this mean that any IP source spoof prevention mechanism needs an exception for ICMP error packets sourced from 192.0.0.8? Yours, Joel On 8/19/2025 6:07 PM, Warren Kumari via NANOG wrote:
On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <nanog@lists.nanog.org> wrote:
There are other reasons to do it intentionally.
Yup, there are other intentional places where you can emit packets which are not announced.
For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address."
W
You can use 10/8 to exfiltrate data. So you could have a receiving system
that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station.
Jonathan Kalbfeld
office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662
ThoughtWave Technologies, Inc. Studio City, CA 91604
View our network at
+1 844 42-LINUX
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.
So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.
This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHFSGEQU...
Largely, yes... W On Tue, Aug 19, 2025 at 6:16 PM, Joel Halpern <nanog@lists.nanog.org> wrote:
Off-list: Does this mean that any IP source spoof prevention mechanism needs an exception for ICMP error packets sourced from 192.0.0.8?
Yours,
Joel
On 8/19/2025 6:07 PM, Warren Kumari via NANOG wrote:
On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <nanog@lists.nanog.org> wrote:
There are other reasons to do it intentionally.
Yup, there are other intentional places where you can emit packets which are not announced.
For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address."
W
You can use 10/8 to exfiltrate data. So you could have a receiving system
that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station.
Jonathan Kalbfeld
office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662
ThoughtWave Technologies, Inc. Studio City, CA 91604
View our network at
+1 844 42-LINUX
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.
So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.
This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/ <https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/ <https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/>
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHFSGEQU...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/M67A3QZH...
participants (9)
-
Bill Woodcock -
Dale W. Carder -
Joe Greco -
Joel Halpern -
Jonathan Kalbfeld -
Josh Luthman -
Robert McKay -
Sriram, Kotikalapudi (Fed) -
Warren Kumari