Re: 192.168.x.x oddities

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

* Nathaniel Hall (halln () otc edu) wrote:
> A common misconception is that the 10.0.0.0, 172.16.0.0 and 192.168.0.0
> network are non-routable.  This is NOT true.  Most routers are setup to not
> route the addresses, but they can be routed.

To be very precise, RFC 1918 addresses are not *publicly* routable. They
are privately routable e.g. routing such packets between Engineering and
Testing within a company, where all addresses are RFC 1918 addresses.

> Your problem could be this or it could be that a system is mis-configured
> and is just trying to figure out where it can go.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
> Nathaniel Hall
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
> 417-799-0552
>
> -----Original Message-----
> From: Jimmy Brokaw [mailto:hedgie () hedgie com] 
> Sent: Monday, June 14, 2004 4:49 PM
> To: security-basics () securityfocus com
> Subject: 192.168.x.x oddities
>
> This seems like a stupid question from a non-guru like me, but I've asked
> a couple of the "gurus" I know and gotten nothing but strange looks.
>
> I run a small network at home, using a wireless router to connect to a
> cable modem.  My internal IPs all fall in the 192.168.0.x range, which is
> the only address-space the router is configured to support.  I've got
> authentication and logging, so before anyone says "I bet it's a neighbor
> using your connection," I've verified nobody else is logging in.
>
> My understanding is that the entire 192.168.x.x range is for internal
> networks only (RFC 1918), and unrouteable on the Internet.  When I run the
> following command, however, I can see several computers:
>
> [computer]$ nmap 192.168.*.* -sP
>
> I get what looks like four computers (in addition to mine), plus some x.0
> and x.255 addresses responding to the pings.  I picked one at random, and
> it appears to belong to my ISP.  Doing a traceroute, I found the packet
> reached its destination at a public (routeable) address, indicating to me
> the machine has two addresses on the same interface.  RFC 1918 states:
>
>    One might be tempted to have both public and private addresses on the
>    same physical medium. While this is possible, there are pitfalls to
>    such a design (note that the pitfalls have nothing to do with the use
>    of private addresses, but are due to the presence of multiple IP
>    subnets on a common Data Link subnetwork).  We advise caution when
>    proceeding in this area.
>
> Am I therefore correct in my assumption that the ISP is routing my pings
> onto their internal network?  Is this a normal response?  It seems like
> there ought to be security concerns here, but I can't nail them down,
> except the assumption that traffic destined for 192.168.x.x addresses may
> not be filtered as well (or at all), since it may be assumed it originated
> from within the internal network.
>
>
>
>
> -- 
>    \\\\\                       hedgie () hedgie com
>   \\\\\\\__o   Bringing hedgehogs to the common folk since 1994.
> __\\\\\\\'/________________________________________________________
>
> Visit http://www.hedgie.com for information on my latest book,
> "Waiting for War," published by Aventine Press!
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the
> skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------