Exodus / Clue problems

• Previous message (by thread): Exodus / Clue problems
• Next message (by thread): Exodus / Clue problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Define "network border." I used to block all traffic from or to RFC1918

	[root at Overkill /]# traceroute mae-east.fnsi.net
	traceroute to mae-east.fnsi.net (192.41.177.11), 30 hops max, 40 byte packets
----->	 1  border-core0-eth1.Columbus.EnterZone.Net (209.41.244.1)  0.538
ms  0.444 ms  0.411 ms
|	 2  core1-eth0-ENTERZONE.Columbus.fnsi.net (209.115.127.21)  0.916 ms
0.783 ms  0.774 ms
| --->	 3  border1-atm6.Vienna.fnsi.net (206.183.239.90)  23.132 ms  23.797
ms  23.829 ms
| |
| |-- That is the network border of my provider at mae-east.
|
|---- That is the network border for MY network.  The DEMARC where my
network ends and my providers begins.


I can't tell you precisely where yours is since @home has decided to block
the traceroute.

[root at Overkill /]# traceroute www.senie.com
traceroute: Warning: Multiple interfaces found; using 209.41.244.2 @ eth0
traceroute to fennel.senie.com (204.69.207.2), 30 hops max, 40 byte packets
 1  border-core0-eth1.Columbus.EnterZone.Net (209.41.244.1)  0.542 ms
0.438 ms  0.411 ms
 2  core1-eth0-ENTERZONE.Columbus.fnsi.net (209.115.127.21)  0.896 ms
0.768 ms  0.731 ms
 3  core1-atm0.Cleveland.fnsi.net (209.115.127.102)  12.083 ms  9.756 ms
9.316 ms
 4  border1-atm6.SanJose.fnsi.net (206.183.239.94)  66.729 ms  65.678 ms
63.696 ms
 5  bb2.mae-w.home.net (198.32.136.70)  67.027 ms  65.376 ms  76.126 ms
 6  172.16.2.250 (172.16.2.250)  90.842 ms  78.524 ms *
 7  172.16.2.58 (172.16.2.58)  146.095 ms  130.080 ms *
 8  10.0.248.34 (10.0.248.34)  118.753 ms  125.679 ms  128.392 ms
 9  10.252.48.218 (10.252.48.218)  156.053 ms !X * *
10  10.252.48.218 (10.252.48.218)  129.488 ms !X *  146.837 ms !X

Bad idea in my book.  By the way, you might want to ask them about all of
those *'s.  Nasty, nasty, nasty.

In addition, path MTU discovery won't work on your network because of the
RFC1918 addresses.  Don't get me wrong.  I personally use RFC1918 addresses
within my network.  Those are NON-EXPOSED hosts however and there is no
need for path discovery to take place.  In your case, your provider wanted
to save 4 IP addresses, a /30.

>addresses, but my present upstream is using 10.0.0.0/8 and
>172.16.0.0/16, at least, for their internal use. So, the IP address of
>the WAN interface on my router connecting to them has a 10.0.0.0/8
>address. If I block incoming traffic to 10.0.0.0/8, they can't monitor
>my net.

Find out from them SPECIFICALLY which machine they want to monitor your
router from and open your router up to that IP address individually.  Block
the rest of them.

>
>It appears this is becoming the preferred way for ISPs to limit their
>use of address space for internal-only functions. While this makes sense

The key phrase here is "internal-only." I would hardly consider your router
or any router between yours and the rest of the world to be considered
"internal-only."

>at some levels, attached corporate networks may have already used those
>addresses. The result is some level of confusion, though for the most
>part it doesn't break too many things. Mostly, it's just annoying since
>firewalls can't filter out stuff they'd otherwise limit.

I can find no good reason for joe blow fortune 1000 company to use anything
other than RFC1918 addresses on their INTERNAL network and run NAT or set
up a proxy or something.  I can also not find any good reason to use
RFC1918 space between routers.  It breaks too many things.  I want to see
you poll or for that matter, log into your router from any other network
than your own.  I Hope nothing happens that would require your PERSONAL
attention while you're at some convention, on vacation, etc.

>
>In cases where ISPs use RFC1918 addresses within their networks, they
>really should:
>
>- Tell their downstream customers WHICH of these blocks are in use.
>
>- Provide filters at peering points that ensure RFC1918 addresses from
>  outside the ISP's space do not come in from outside.
>
>- Provide Ingress filtering at all downstream customer ports to ensure
>  only valid source IP addresses come from their customers.
>

...and one last point...

- Have someone loan them a clue about why they should NOT use RFC1918 space
in the way your isp is doing so.


-------
John Fraizer                      |    __   _
The System Administrator          |   / /  (_)__  __ ____  __ | The choice
mailto:John.Fraizer at EnterZone.Net |  / /__/ / _ \/ // /\ \/ / |  of a GNU
http://www.EnterZone.Net/         | /____/_/_//_/\_,_/ /_/\_\ | Generation
                     A 486 is a terrible thing to waste...

• Previous message (by thread): Exodus / Clue problems
• Next message (by thread): Exodus / Clue problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]