address spoofing

Daniel Senie dts at
Fri Apr 23 00:13:47 UTC 1999

"Gary E. Miller" wrote:
> Yo Randy!
> On Thu, 22 Apr 1999, Randy Bush wrote:
> >     deny ip any (593 matches)
> >     deny ip any (201 matches)
> >     deny ip any (769 matches)
> [...]
> > anyone have clues other than net slime and misconfigured nats?
> If you did a traceroute thru a router using a private address on
> one of it's interfaces you could see this.  That would be legit.

What RFC 1918 says, is that you're supposed to ensure at border points
that private addresses are not leaked. ISPs who insist on using RFC 1918
addresses on their routers should be responsible for filtering out any
responses such routers make (e.g. traceroute packets) at their borders.
In reality, routers used in the ISP infrastructure are NOT good
candidates for RFC 1918 addresses. My present upstream (@Home network)
appears to use all of the RFC 1918 address blocks for their own use, and
leaks them everywhere. Had I known this before signing a contract, they
wouldn't have gotten my business.

An interesting passage from RFC 1918, a.k.a. BCP 5, is:

"Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses should
not be forwarded across such links. Routers in networks not using
private address space, especially those of Internet service providers,
are expected to be configured to reject (filter out) routing information
about private networks. If such a router receives such Information the
rejection shall not be treated as a routing protocol error."

Daniel Senie                                        dts at
Amaranth Networks Inc.  

More information about the NANOG mailing list