ISPs Blocking Private Addresses?
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their borders? Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work? thanks, peter
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their borders?
Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work?
thanks, peter
route-views.oregon-ix.net>sh ip bgp 10.0.0.0 % Network not in table route-views.oregon-ix.net> Looks like it. Filter everyone... trust no one. (aphorism of the day) brad reynolds ber@cwru.edu
On Sun, 8 Feb 1998, Peter Ford wrote:
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their borders?
Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work?
This comes in two parts. First, nearly all clueful providers will filter BGP announcements of private IP space. While such announcements should never happen, they happen amazingly often. People that filter these announcements may be... half the Internet, but I'm cynical today. Second, some providers filter traffic using private IP space. This is a significantly smaller percent. One problem that you can run into if you do filter traffic from private IP space is that if someone is using a router using private IP space on an interface, you can break PMTU-D by doing this filtering. Another problem (but a lesser one) is that traceroute to sites passing through a router using a private address on an interface will show a row of timeouts. This is the fault of the person using private IP addresses for a router and having that router generate ICMP messages using that address, but... If you are using private address space internally for router interfaces or whatever, then you want to filter it to prevent spoofing. But if you do that then you cause problems with other people who do the exact same thing you are doing which isn't too smart. I do see an amazing amount of traffic (ie. attempted connections) from machines using private addresses. While others are far more qualified to judge numbers than I am, I wouldn't say it is clear that most block them, but a reasonable minority do.
Peter,
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their borders?
Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work?
More clueful ISPs do in fact block private address space exchange via BGP. Many also filter. Smaller ISPs tend to miss these steps, and there is frequently someone advertising private space at the NAPs from time to time. And some believe it, surprisingly. Many cable networks, like Rogers and @Home use net 10 for numbering internal devices for SNMP survellience, like modems and switches. While INTERNIC may not mandate it, they are sensitive to 2 IP addresses per household drawn from the public space. As such, when @Home and Rogers merged networks, there was some private address space reconcilication required. Thus, you cannot assume that private address space is not routed "privately" within a given ISP's backbone. Needless to say, they are usually very vigilant about route and packet filtering. Regards, Eric Carroll eric.carroll@acm.org Tekton Internet Associates
Most people use what's commonly refered to as Martian filters to filter out private address spacing. It allows those ISPs to use private address space internally and not have to worry about advertising them via external routing protocols and also keeps them from accepting bogus route announcements from other providers who haven't used the filters. On Sun, 8 Feb 1998, Peter Ford wrote:
Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their borders?
Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work?
Default-less?
thanks, peter
Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services
On Mon, Feb 09, 1998 at 02:42:19PM -0600, Joe Shaw wrote:
Most people use what's commonly refered to as Martian filters to filter out private address spacing. It allows those ISPs to use private address space internally and not have to worry about advertising them via external routing protocols and also keeps them from accepting bogus route announcements from other providers who haven't used the filters.
There's an important distinction to be made, Joe, betwen filtering _packets_ and filtering _announcements_. Martian filters usually filter packets. What you announce, and what you send, need not have anything to do with one another.
Do the "default-less" ISPs filter private addresses or do they let routing/forwarding do the work?
Default-less?
Yes: backbones whose routers have no default place to send packets not handled by some explicit route. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
participants (7)
-
Bradley Reynolds -
Eric M. Carroll -
Jay R. Ashworth -
Joe Shaw -
Marc Slemko -
Peter Ford -
Richard Yoo