nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RFC1918 addresses to permit in for VPN?

From: Andrew Brown <twofsonet () graffiti com>
Date: Tue, 2 Jan 2001 11:47:23 -0500


In the big recurring battle on NANOG, the topic of RFC 1918 addrs
comes up because some people like using them for endpoints of
point-to-point links between routers within their transit networks,
and others condemn that practice, citing the urgent operational
necessity to run traceroute, which requires "seeing" each interface
on the path through the transit network, and the recommendation in
RFC 1918 itself to filter RFC 1918 addrs at the border.


the traceroute thing annoys me.  there is an operational concern as
well though.  consider this simplistic network:

    [ME] ---- [NAT] ---- [SOMEONE] ---- [SITE]

where i'm using 172.16/16 internally, and the nat device is my gateway
so that i can reach out to the internet (but they cannot reach back in
:).  then suppose that i'm using pmtu discovery and that someone is
using 172.16/16 for their point to point serial links.  if i filter
icmp from 1918, my connection will hang.  on the other hand, if i
don't it will appear that i'm getting icmp need frag messages from
*inside* my own network.


The juxtaposition of these two threads, RFC1918+NAT for security and
RFC 1918 link addrs, brought to my mind an interesting question.
Since some folks get so outspokenly upset if they see RFC 1918
addrs in a traceroute, I wonder if it'd be possible to configure
a border router to NAT those RFC 1918 addrs. Obviously this would
be something you'd want to be able to switch on and off on a
per-customer basis; folks who'd rather see the real assigned addrs
in their traceroute output would ask for this to be left off, those
who cannot abide the sight of those addrs could have it turned on,
and so would see repetitions of the NAT-ting border router addr with
the increasing hop count until the far edge of the net was reached.


they shouldn't need to nat icmp messages.  that would be hokey.  what
they ought to do (imho), is set the icmp source address on these
routers to something that *is* globally reachable.  or at least makes
more sense.  that, of course, presupposes that they *have* globally
reachable addresses.  i can't imagine why they wouldn't, but...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."
Previous By Date Next
Previous By Thread Next

Current thread: