In the big recurring battle on NANOG, the topic of RFC 1918 addrs comes up because some people like using them for endpoints of point-to-point links between routers within their transit networks, and others condemn that practice, citing the urgent operational necessity to run traceroute, which requires "seeing" each interface on the path through the transit network, and the recommendation in RFC 1918 itself to filter RFC 1918 addrs at the border.
the traceroute thing annoys me. there is an operational concern as well though. consider this simplistic network: [ME] ---- [NAT] ---- [SOMEONE] ---- [SITE] where i'm using 172.16/16 internally, and the nat device is my gateway so that i can reach out to the internet (but they cannot reach back in :). then suppose that i'm using pmtu discovery and that someone is using 172.16/16 for their point to point serial links. if i filter icmp from 1918, my connection will hang. on the other hand, if i don't it will appear that i'm getting icmp need frag messages from *inside* my own network.
The juxtaposition of these two threads, RFC1918+NAT for security and RFC 1918 link addrs, brought to my mind an interesting question. Since some folks get so outspokenly upset if they see RFC 1918 addrs in a traceroute, I wonder if it'd be possible to configure a border router to NAT those RFC 1918 addrs. Obviously this would be something you'd want to be able to switch on and off on a per-customer basis; folks who'd rather see the real assigned addrs in their traceroute output would ask for this to be left off, those who cannot abide the sight of those addrs could have it turned on, and so would see repetitions of the NAT-ting border router addr with the increasing hop count until the far edge of the net was reached.
they shouldn't need to nat icmp messages. that would be hokey. what they ought to do (imho), is set the icmp source address on these routers to something that *is* globally reachable. or at least makes more sense. that, of course, presupposes that they *have* globally reachable addresses. i can't imagine why they wouldn't, but... -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."