Re: RFC1918 addresses to permit in for VPN?

[Andrew Brown <twofsonet () graffiti com>]

> > so any isp which lets the outside world see a packet with a source in 1918
> > space is in direct violation of 1918.
> ...
> Nevertheless, the operational reality is that having a traceroute that
> shows RFC1918 addresses is more useful than a traceroute that shows
> * * *, and therefore I suspect most operators will continue to permit
> RFC1918 addresses into their networks as long as a few questionable
> individuals use them to source traffic.

i think it's only useful to show that (a) something's there and (b) it
doesn't slow down the traceroute.  to combat (b), mtr is your friend.

> (If they even bother to think about it.)

there would, at least, be confusion about where the packet came from.
never mind the fact that pmtud would be slightly confused if the icmp
errors came back from an rfc1918 address to a nat that was operating
or a private network that used the same address block, consider two
networks that use the same blocks of rfc1918 space for point to point
addressing on public interfaces (that, of course, don't require global
reachability) that are trying to diagnose a routing problem.  a bit of
creative route flapping and it would become impossible.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."