[NTLUG:Discuss] internet routing of private IPs causing problems..

Mittelgeek mittelgeek at gmail.com
Wed Jan 9 14:21:30 CST 2008 

I think that there is an RFC [the one that talks about which ranges are
reserved for private networks] that states that router are not supposed to
route private ranges. But I got the feeling that the document was trying to
say that they can route them, but that they should not route them.

On Jan 9, 2008 1:46 PM, Greg Edwards <gedwards at netbsa.org> wrote:

> > -----Original Message-----
> > From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On
> > Behalf Of Richard Geoffrion
> > Sent: Wednesday, January 09, 2008 11:28 AM
>
> >
> > Am I misunderstanding something about RFC1918 (
> > http://www.rfc-archive.org/getrfc.php?rfc=1918 )?  It is my
> > understanding that RFC1918 dictates that the private ip address
> > ranges...
> >
>
> >
> > ...are to be filtered out from routers from routers that are on the
> > internet (ie ISP routers)?  Quote:
> >
>
> >
> > That SEEMS pretty clear cut to me and in all my years of networking
> has
> > been the standard.  Now I'm being told by a (supposedly) major
> > DATA/TELCOM company that it is the responsibility of the customer
> > premise equipment performing NAT to filter outbound  requests to IP
> > address in the specified private address range.
> >
>
> >
> > Do I have the high-ground here or does the ISP have any shred of
> > evidence on which to stand?
> >
>
>
> >
> > --
> > Richard
>
> My understanding is that a destination address within the private
> address range will be rejected when received by a router that is
> managing a public network.  Your ISPs router should not be configured to
> forward private destination addresses.  I guess that doesn't mean that
> it won't.  If your ISP is being cheap and routing their private networks
> on the same hardware as the public network this would create a problem.
> You have the high ground, but that doesn't mean you'll win.
>
> I assume that you're running a firewall (i.e. shorewall) on connection?
> Set your net source to reject all and then accept only the ports
> (services) that you want open and nat all of your net destination
> traffic.  This will prevent private sources from getting to the ISP and
> reject private destinations trying to get in.
>
> Another choice would be to give your money to an ISP that provides a
> better service than this.  Your private traffic probably can't get any
> further than your ISP since somewhere down the line you'll hit a router
> that works the way it should.
>
> --
> Greg Edwards
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list