North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISPs Blocking Private Addresses?

  • From: Marc Slemko
  • Date: Sun Feb 08 19:35:30 1998

On Sun, 8 Feb 1998, Peter Ford wrote:

> 
> Do most ISPs explicitly block private IP addresses (e.g. 10.X.X.X) at their
> borders?
> 
> Do the "default-less" ISPs filter private addresses or do they let
> routing/forwarding do the work?

This comes in two parts.

First, nearly all clueful providers will filter BGP announcements of
private IP space.  While such announcements should never happen, they
happen amazingly often.  People that filter these announcements may be... 
half the Internet, but I'm cynical today.

Second, some providers filter traffic using private IP space.  This is a
significantly smaller percent.  One problem that you can run into if you
do filter traffic from private IP space is that if someone is using a
router using private IP space on an interface, you can break PMTU-D by
doing this filtering.  Another problem (but a lesser one) is that
traceroute to sites passing through a router using a private address on an
interface will show a row of timeouts.  This is the fault of the person
using private IP addresses for a router and having that router generate
ICMP messages using that address, but... 

If you are using private address space internally for router interfaces or
whatever, then you want to filter it to prevent spoofing.  But if you do
that then you cause problems with other people who do the exact same thing
you are doing which isn't too smart.

I do see an amazing amount of traffic (ie. attempted connections) from
machines using private addresses. 

While others are far more qualified to judge numbers than I am, I wouldn't
say it is clear that most block them, but a reasonable minority do.