Re: SSH'ing between machines with private IPs



"Richard E. Silverman" <res@xxxxxxxx> writes:

"Unruh" == Unruh <unruh-spam@xxxxxxxxxxxxxx> writes:

Unruh> No All public routers throw them away precisely because of
Unruh> their problems. Sure, internally you may be able to route
Unruh> them,

Hence they are not "unroutable;" the term is a contradiction, period. It
makes no sense.

Again, they are unroutable because the routers in between throw the packets
away. They do not return them (whatever that would mean), they simply drop
them. That is what I mean by unroutable.
Now, it is certainly possible for routers to be set up not to do that, but
that is not the general situation.

Unruh> So I repeat, private IPs are better called unroutable IPs.

The document which defines their use disagrees with you:

Fine.


>> Besides, these address ranges are defined in RFC 1918, entitled
>> "Address Allocation for Private Internets," which refers explicitly
>> and repeatedly to "private address space" and "private addresses."

Interesting that you did not comment on this.

What is to comment? I was not proscribing a term. I was saying that it is
more useful for the user to think of them as unroutable. Ie, you cannot
route packets over the internet to addresses in teh private ranges. Now,
private can mean many things. People could well use addresses which are
part of the assigned ranges privately and not give any hint that they exist
to the outside world. That common sense of private is different from the
technical sense used in the RFC, but non-the-less can cause confusion.
Whereas unroutable I do not think does. It emphasises that they are
addresses to which packets cannot be delivered over the net.


As for changes taking "weeks" for DNS changes to propagate: of course some
DNS servers behave incorrectly. I have run into ISPs which do this.
However, it is an exception, not the rule, as well as being nonstandard
behavior, and I don't think claiming this is a normal occurrence is
reasonable. I run DNS for several organizations, and changes to RR's with
short TTLs are typically visible to most people within the span of those
TTLs.

I am giving experimental evidence. In the case of the telus AP, I have no
idea what their TTL is, but it took a week for the new IP to propagate to
the local university.
In the case of the MX record, the TTL was hours, and three weeks later I
was still getting mail delivered to the wrong IP. So, your systems may be
set up properly. I was simply telling the OP not to rely on it.

--
Richard Silverman
res@xxxxxxxx

.



Relevant Pages

  • RE: Running public IPs inside an RFC 1597 network
    ... > I'm running a typical Class C RFC 1597 network in my lab. ... know or care if we humans designate a subnet as public or private. ... is the absolute most general route there is for a machine. ... In a correctly configured system when you define an interface, ...
    (freebsd-questions)
  • RE: Traceroute Question
    ... Private ranges defined in RFC1918 are standard internal "non-routable" ... responsibility of the ISP to filter those addresses. ... ACLs on ISP's routers are configured to check only destination addresses ... space is not route able on the internet. ...
    (Pen-Test)
  • Re: IP Spoofing/Masquarading
    ... routers are not programmed to forward traffic with these ... hit the first BGP router which will return an ICMP type 3 as private ... implement these techniques due to the additional overhead. ... all border routers should drop all incoming packet somewhat quirky... ...
    (Pen-Test)
  • Re: ip Routing Through Cluster
    ... >Remember that private internets are not routed! ... > # following three blocks of the IP address space for private internets: ... You are correct if the route would cross any portion of the public ... private networks can be and often are routed ...
    (Fedora)
  • Re: VPN routers to w2k rras server problems
    ... You should be able to fix this by adding routes to the Linksys routers to ... send your private traffic through the VPN link. ... way, add a static route to send it through the VPN link, using the VPN ... > Ok routing is set up on the w2k server. ...
    (microsoft.public.win2000.ras_routing)