[NTLUG:Discuss] internet routing of private IPs causing problems..
Greg Edwards
gedwards at netbsa.org
Wed Jan 9 13:46:43 CST 2008
> -----Original Message-----
> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On
> Behalf Of Richard Geoffrion
> Sent: Wednesday, January 09, 2008 11:28 AM
>
> Am I misunderstanding something about RFC1918 (
> http://www.rfc-archive.org/getrfc.php?rfc=1918 )? It is my
> understanding that RFC1918 dictates that the private ip address
> ranges...
>
>
> ...are to be filtered out from routers from routers that are on the
> internet (ie ISP routers)? Quote:
>
>
> That SEEMS pretty clear cut to me and in all my years of networking
has
> been the standard. Now I'm being told by a (supposedly) major
> DATA/TELCOM company that it is the responsibility of the customer
> premise equipment performing NAT to filter outbound requests to IP
> address in the specified private address range.
>
>
> Do I have the high-ground here or does the ISP have any shred of
> evidence on which to stand?
>
>
> --
> Richard
My understanding is that a destination address within the private
address range will be rejected when received by a router that is
managing a public network. Your ISPs router should not be configured to
forward private destination addresses. I guess that doesn't mean that
it won't. If your ISP is being cheap and routing their private networks
on the same hardware as the public network this would create a problem.
You have the high ground, but that doesn't mean you'll win.
I assume that you're running a firewall (i.e. shorewall) on connection?
Set your net source to reject all and then accept only the ports
(services) that you want open and nat all of your net destination
traffic. This will prevent private sources from getting to the ISP and
reject private destinations trying to get in.
Another choice would be to give your money to an ISP that provides a
better service than this. Your private traffic probably can't get any
further than your ISP since somewhere down the line you'll hit a router
that works the way it should.
--
Greg Edwards
More information about the Discuss
mailing list