Define "network border." I used to block all traffic from or to RFC1918
[root@Overkill /]# traceroute mae-east.fnsi.net traceroute to mae-east.fnsi.net (192.41.177.11), 30 hops max, 40 byte packets -----> 1 border-core0-eth1.Columbus.EnterZone.Net (209.41.244.1) 0.538 ms 0.444 ms 0.411 ms | 2 core1-eth0-ENTERZONE.Columbus.fnsi.net (209.115.127.21) 0.916 ms 0.783 ms 0.774 ms | ---> 3 border1-atm6.Vienna.fnsi.net (206.183.239.90) 23.132 ms 23.797 ms 23.829 ms | | | |-- That is the network border of my provider at mae-east. | |---- That is the network border for MY network. The DEMARC where my network ends and my providers begins. I can't tell you precisely where yours is since @home has decided to block the traceroute. [root@Overkill /]# traceroute www.senie.com traceroute: Warning: Multiple interfaces found; using 209.41.244.2 @ eth0 traceroute to fennel.senie.com (204.69.207.2), 30 hops max, 40 byte packets 1 border-core0-eth1.Columbus.EnterZone.Net (209.41.244.1) 0.542 ms 0.438 ms 0.411 ms 2 core1-eth0-ENTERZONE.Columbus.fnsi.net (209.115.127.21) 0.896 ms 0.768 ms 0.731 ms 3 core1-atm0.Cleveland.fnsi.net (209.115.127.102) 12.083 ms 9.756 ms 9.316 ms 4 border1-atm6.SanJose.fnsi.net (206.183.239.94) 66.729 ms 65.678 ms 63.696 ms 5 bb2.mae-w.home.net (198.32.136.70) 67.027 ms 65.376 ms 76.126 ms 6 172.16.2.250 (172.16.2.250) 90.842 ms 78.524 ms * 7 172.16.2.58 (172.16.2.58) 146.095 ms 130.080 ms * 8 10.0.248.34 (10.0.248.34) 118.753 ms 125.679 ms 128.392 ms 9 10.252.48.218 (10.252.48.218) 156.053 ms !X * * 10 10.252.48.218 (10.252.48.218) 129.488 ms !X * 146.837 ms !X Bad idea in my book. By the way, you might want to ask them about all of those *'s. Nasty, nasty, nasty. In addition, path MTU discovery won't work on your network because of the RFC1918 addresses. Don't get me wrong. I personally use RFC1918 addresses within my network. Those are NON-EXPOSED hosts however and there is no need for path discovery to take place. In your case, your provider wanted to save 4 IP addresses, a /30.
addresses, but my present upstream is using 10.0.0.0/8 and 172.16.0.0/16, at least, for their internal use. So, the IP address of the WAN interface on my router connecting to them has a 10.0.0.0/8 address. If I block incoming traffic to 10.0.0.0/8, they can't monitor my net.
Find out from them SPECIFICALLY which machine they want to monitor your router from and open your router up to that IP address individually. Block the rest of them.
It appears this is becoming the preferred way for ISPs to limit their use of address space for internal-only functions. While this makes sense
The key phrase here is "internal-only." I would hardly consider your router or any router between yours and the rest of the world to be considered "internal-only."
at some levels, attached corporate networks may have already used those addresses. The result is some level of confusion, though for the most part it doesn't break too many things. Mostly, it's just annoying since firewalls can't filter out stuff they'd otherwise limit.
I can find no good reason for joe blow fortune 1000 company to use anything other than RFC1918 addresses on their INTERNAL network and run NAT or set up a proxy or something. I can also not find any good reason to use RFC1918 space between routers. It breaks too many things. I want to see you poll or for that matter, log into your router from any other network than your own. I Hope nothing happens that would require your PERSONAL attention while you're at some convention, on vacation, etc.
In cases where ISPs use RFC1918 addresses within their networks, they really should:
- Tell their downstream customers WHICH of these blocks are in use.
- Provide filters at peering points that ensure RFC1918 addresses from outside the ISP's space do not come in from outside.
- Provide Ingress filtering at all downstream customer ports to ensure only valid source IP addresses come from their customers.
...and one last point... - Have someone loan them a clue about why they should NOT use RFC1918 space in the way your isp is doing so. ------- John Fraizer | __ _ The System Administrator | / / (_)__ __ ____ __ | The choice mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...