nanog mailing list archives

Re: ICMP weirdness

From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Mon, 18 Oct 2004 16:36:35 -0500 (CDT)

From owner-nanog () merit edu  Mon Oct 18 16:01:42 2004
Subject: Re: ICMP weirdness
From: Jim Popovitch <jimpop () yahoo com>
To: "Stephen J. Wilcox" <steve () telecomplete co uk>
Cc: nanog () merit edu
Date: Mon, 18 Oct 2004 17:01:39 -0400


On Mon, 2004-10-18 at 15:54, Stephen J. Wilcox wrote:

why not that seems ok to me.. ?

assuming you accept the 1918 assignment to your cable then its not unreasonable 
that you can get to other end users on that network


Across other non-private IP space?  I am not all that familiar w/
RFC1918, but I would think that this goes against it, or should I assume
that Insight Broadband is part of Comcast?


It appears likely that that _is_ the case.

It is numbered in historical 'Class A' space that AT&T  owns.

Comcast did buy up a bunch of AT&T's cable operations.  Both the cable TV
_and_ the internet services.

By strict definitions, your home is a _separate_ network from Comcast's 
internal network.    

As such:
   Per RFC 1918, _you_ should be doing egress filtering, to prohibit 
   RFC 1918 _destination_ addresses from exiting your network _to_ Comcast's
   network, as well as egress filtering of RFC 1918 _source_ address packets
   (with a few special-case exceptions), to be a 'good neighbor'.  In self-
   defense, you should be ingress filtering any RFC 1918 destination addresses,
   and any RFC 1918 source addressed packets (except for the special-case
   exectptions -- ICMP redirect, unreachable, TTL exceeded, etc.).

   Similarly, Comcast should be at the 'gateway' to your network, be =egress= 
   filtering any packets with RFC 1918 destination addresses, as well as any 
   RFC 1918 source address packets (except for the aforementioned special-case 
   exceptions)
   The should *also*, be _ingress_ filtering any RFC 1918 destination
   addresses coming from your network, _and_ filtering out any RFC 1918 
   _source_ address packets (with the same few special-case execptions) from
   your network.  

RFC 1918 restricts use of the 'private' address-blocks to networks under
a _single_ administrative control.   It is perfectly legitimate to use
different segments of that address-space in different locations *on*the*
*same*network*, even _with_ 'routable' addresses in between them.  The
RFC 1918 rule is that the 'private' addresses must not escape _from_ the 
network under the adminsistrative control of that party to a network that
is controlled by 'somebody else'.

That said, a *LOT* of the world doesn't use 'strict' definitions. 

Unfortunately.

Comcast apparently considers the end-user machines as simply nodes _on_their_
_network_.  And, as such, does route RFC 1918 addresses 'internally' between
different locales, where different portions of that address-space are used
_on_the_Comcast_network_.


-Jim P.


Steve

On Mon, 18 Oct 2004, Jim Popovitch wrote:

From Comcast Cable, at my home in Atlanta, I can ping 10.10.1.1....

which is pong'ed from a private client network hanging somewhere off of
Insight Broadband's network in the North Central part of the US.  Why on
god's green earth do network operators allow such nonsense as this?

-Jim P.

Traceroute -I 10.10.1.1 produces the following:

traceroute to 10.10.1.1 (10.10.1.1), 30 hops max, 38 byte packets
 1  10.238.10.1 (10.238.10.1)  29.089 ms  25.387 ms  28.574 ms
 2  66.56.22.66 (66.56.22.66)  30.923 ms  31.305 ms  33.142 ms
 3  66.56.22.70 (66.56.22.70)  35.945 ms  35.874 ms  36.832 ms
 4  c-66-56-23-38.atl.client2.attbi.com (66.56.23.38)  34.740 ms  35.041
ms  37.537 ms
 5  12.118.184.41 (12.118.184.41)  41.967 ms  45.584 ms  43.997 ms
 6  gbr2-p70.attga.ip.att.net (12.123.21.6)  44.988 ms  44.706 ms 
43.033 ms
 7  tbr2-p013602.attga.ip.att.net (12.122.12.37)  49.353 ms  44.010 ms 
45.244 ms
 8  12.122.10.138 (12.122.10.138)  62.244 ms  62.269 ms  62.148 ms
 9  gbr1-p40.sl9mo.ip.att.net (12.122.11.114)  60.922 ms  67.005 ms 
60.264 ms
10  gar1-p360.sl9mo.ip.att.net (12.123.24.209)  59.572 ms  64.013 ms 
60.198 ms
11  12-220-0-69.client.insightBB.com (12.220.0.69)  77.000 ms  76.050
ms  77.926 ms
12  12-220-7-198.client.insightBB.com (12.220.7.198)  95.437 ms  80.068
ms  84.076 ms
13  10.10.1.1 (10.10.1.1)  93.612 ms  97.280 ms  192.994 ms

Current thread:

ICMP weirdness Jim Popovitch (Oct 18)
- Re: ICMP weirdness Crist Clark (Oct 18)
  - Re: ICMP weirdness Daniel Senie (Oct 18)
    - Re: ICMP weirdness Bill Stewart (Oct 18)
- <Possible follow-ups>
- Re: ICMP weirdness Jim Popovitch (Oct 18)
  - Re: ICMP weirdness Alon Tirosh (Oct 18)
- Re: ICMP weirdness Robert Bonomi (Oct 18)