Re: Removing ping/icmp from a network
- From: "Michael Painter" <tvhawaii@xxxxxxxxx>
- Date: Sat, 29 Mar 2008 15:32:32 -1000
----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" Sent: Friday, March 28, 2008 6:44 AM
On 2008-03-27 Michael Painter wrote:I'm not sure what 'clean' means, but I'm not supposed to see 10/8
addresses on the "Internet".
You aren't seeing them "on the Internet".
Poor choice of words, maybe? How about via the Internet?
Anyway, there are (at least) two schools of thought on this, as shown by this thread from NANOG.
I've excised a couple, posted below.
(From RFC 1918)
Because private addresses have no global meaning, routing
information about private networks shall not be propagated on
inter-enterprise links, and packets with private source or
destination addresses should not be forwarded across such links.
Routers in networks not using private address space, especially
those of Internet service providers, are expected to be
configured to reject (filter out) routing information about
> > > There are good reasons to want to get those packets (traceroutes from
> > > people who have numbered their networks in rfc1918 networks,
> > No John, there are exactly zero reasons, good or otherwise, for allowing
> any traffic with RFC-1918 source addresses to traverse any part of the
> public Internet. Period! :-)
You are being religious, and I shall not descend into this sort of
discussion with you. It is simply non productive nor professional.
OK, sorry, let me qualify that:
No John, there are exactly zero TECHNICAL reasons, good or otherwise,
for allowing any traffic with RFC-1918 source addresses to traverse any
part of the public Internet. Period! :-)
I disagree, and believe that other reasonable people do so as well,
and there is therefore argument over this issue. People should not
assert canonicity upon it. End of story.
In all of the past discussions on this issue there have never been any
presentations of technical reasons for allowing RFC-1918 addresses (in
either the source *or* destination fields) to traverse the public
Internet. (At least none have been presented while I've been watching,
Yes those who have the misunderstanding that they can use such addresses
are going to fail to filter them lest they block their own uses, but
that's circular reasoning, even if it is technically correct within the
microcosms of those people's own minds.
However in public there is no possible valid technical argument, by mere
definition of the way RFC-1918 defines the fact that such addresses are
solely for PRIVATE use, and private use ONLY. Unfortunately RFC-1918 is
not also a STD-* document, but even as it is just a Best Current
Practice, it can only ever really succeed even as a BCP if everyone
co-operates completely, and since people are eager to use PRIVATE
addresses that pretty much forces the rest of you to co-operate since
we're going to filter the heck out of your "mis-uses".
RFC-1918 also clearly suggests that non-unique PRIVATE addresses are
really only useful where external connectivity is not used -- i.e. for
private networks that are never in any way connected to the public
Internet. I.e. use of private addresses on public devices, with or
without filtering at network borders, is still "wrong". One might even
go so far as to argue that use of PRIVATE addresses behind a proper NAT
is similarly "wrong", though of course with a proper NAT you'd never
Note that any part of the Internet which joins any two independently
controlled and operated nodes is, by definition, public. That means
that even an ISP with just direct customers must still never allow
RFC-1918 addresses to appear at either their customer sites, or on their
back-haul(s) to the rest of the Internet. Their customers have just as
much right to make private use of RFC-1918 addresses as does any other
participant on the public Internet. Any use by any ISP of any RFC-1918
addressing violates that right.
The only other technical option is to forget about allocating private
address space, deprecate RFC-1918, and open up the address space to full
and proper routing. Though I do find private address space handy, I
wouldn't mind making all that space publicly available too. So, do we
want RFC-1918 promoted to a full standard, or deleted? You choose.
RFC1918 addreses cause real problems. They are not supposed to be used. It
cannot be made much clearer than that. Choosing to ignore the wishes of
the rest of the Internet community in order to make your own life a little
bit easier is not a question of free will, it is a matter of
Furthermore, if you claim that you have the right to violate spirit and
intent of Internet BCPs then I certainly have the right to complain about
it without being labelled as psycho/paranoid/nazi.
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
| <-- packet entering Microsoft's network
Router (184.108.40.206) |
Router (220.127.116.11) <-- Router doing NAT
| <-- packet entering private network
Traceroute reports the IP addresses of the "en-route" hosts the packets
traverse. That may include private IP addresses.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
- Re: Removing ping/icmp from a network
- From: Ansgar -59cobalt- Wiechers
- Re: Removing ping/icmp from a network
- Prev by Date: Re: encryption software for pendrive
- Next by Date: Re: Removing ping/icmp from a network
- Previous by thread: Re: encryption software for pendrive
- Next by thread: Re: Removing ping/icmp from a network