North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: private RFC-1918 addresses on public routers

  • From: Forrest W. Christian
  • Date: Fri Feb 18 06:18:13 2000

It used to be that "be conservative in what you send, be liberal in what
you accept" was the rule.

Unfortunately, that is getting less and less the case.  And that is
causing more and more breakage.

In this case, you have two sides of the coin:

1)  Those who filter ICMP's in  1918 space are being not-very-liberal in
what they accept.  However, given the "current" attacks which usually end
up being a large portion of ICMP's from 1918 space, filtering on this
space on your "net-facing" links is becoming a necessary protection on
most networks.

2)  Those who number internet-visible links with 1918 space are being
not-very-conservative in what they send.   However, given the pressure of
address space conservation, this seems to be happening more and more.

When a network path contains 1) and 2) in a "conservative in what you
accept, liberal in what you send" configuration, breakage WILL occur.

Most notably MTU path discovery will cease to function in some
cases.  This breakage tends to be hard to detect by the average user
and/or net admin.   How many people even know that MTU discovery exists or
what the symptoms of breakage are?   Personally, I think the most common
symptom is  people will call your help desk saying "This @#*$ thing
doesn't work, fix it."  

Also, all along the path there are useful ICMP messages that get sent
back.  ICMP Source Quench packets for telling the sender to slow
down.  ICMP Unreachables to indicate the path has failed.  Etc. Etc. Etc.

If these ICMP packets originate from a 1918 numbered interface, breakage
of that function will occur.  Flows won't slow down.  Traceroutes will
star out on that interface, etc.  (Now I've said that I'm a little worried
that Traceroutes at least some of the time don't use ICMP - but
regardless the symptom is the same regardless of the underlying protocol
used).

I think it is a given that filtering ICMP's (and everything else) from
bogons is here to stay.   In that context, the only way for the network to
function correctly is to not send "useful" packets from 1918 space.  Which
includes ICMP generated by routers using 1918 space.

- Forrest W. Christian ([email protected]) KD7EHZ
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------