RFC1918 addresses to permit in for VPN?

• Previous message (by thread): RFC1918 addresses to permit in for VPN?
• Next message (by thread): RFC1918 addresses to permit in for VPN?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>In the big recurring battle on NANOG, the topic of RFC 1918 addrs
>comes up because some people like using them for endpoints of
>point-to-point links between routers within their transit networks,
>and others condemn that practice, citing the urgent operational
>necessity to run traceroute, which requires "seeing" each interface
>on the path through the transit network, and the recommendation in
>RFC 1918 itself to filter RFC 1918 addrs at the border.

the traceroute thing annoys me.  there is an operational concern as
well though.  consider this simplistic network:

    [ME] ---- [NAT] ---- [SOMEONE] ---- [SITE]

where i'm using 172.16/16 internally, and the nat device is my gateway
so that i can reach out to the internet (but they cannot reach back in
:).  then suppose that i'm using pmtu discovery and that someone is
using 172.16/16 for their point to point serial links.  if i filter
icmp from 1918, my connection will hang.  on the other hand, if i
don't it will appear that i'm getting icmp need frag messages from
*inside* my own network.

>The juxtaposition of these two threads, RFC1918+NAT for security and
>RFC 1918 link addrs, brought to my mind an interesting question.
>Since some folks get so outspokenly upset if they see RFC 1918
>addrs in a traceroute, I wonder if it'd be possible to configure
>a border router to NAT those RFC 1918 addrs. Obviously this would
>be something you'd want to be able to switch on and off on a
>per-customer basis; folks who'd rather see the real assigned addrs
>in their traceroute output would ask for this to be left off, those
>who cannot abide the sight of those addrs could have it turned on,
>and so would see repetitions of the NAT-ting border router addr with
>the increasing hop count until the far edge of the net was reached.

they shouldn't need to nat icmp messages.  that would be hokey.  what
they ought to do (imho), is set the icmp source address on these
routers to something that *is* globally reachable.  or at least makes
more sense.  that, of course, presupposes that they *have* globally
reachable addresses.  i can't imagine why they wouldn't, but...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior at daemon.org             * "ah!  i see you have the internet
twofsonet at graffiti.com (Andrew Brown)                that goes *ping*!"
andrew at crossbar.com       * "information is power -- share the wealth."

• Previous message (by thread): RFC1918 addresses to permit in for VPN?
• Next message (by thread): RFC1918 addresses to permit in for VPN?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]