private ip addresses from ISP

Hyunseog Ryu r.hyunseog at
Tue May 23 06:49:26 UTC 2006

In reality, from what I see, most large ISP doesn't care about RFC1918.
I've been dealing with this issue for a while.
Not all of them, because I didn't deal with all of them.
But some of them has strange policy for ACL, because it has large impact 
on router platform CPU utilization.
Strictly some ISP doesn't allow to put ACL for more than 24 hours 
including RFC1918 ip address space originated traffic.
So I'm doing it from our core router to block those traffic, and fun to 
watch the counters increasing so rapidly. ^.^

For an example,
hryu at chc-core-r1> show firewall filter XXX-in
Filter: XXX-in
Name                                                Bytes 
XXX-in-default                      430738360735883         743436641099
XXX-in-rfc1918-10                       12742937908             41900221
XXX-in-loopback                           785367140              2678266
XXX-in-dhcp-default                        36982506               413978
XXX-in-rfc1918-172-16                    1240646548             13026411
XXX-in-test-net                               44318                  621
XXX-in-rfc1918-192-168                   1806857741             17309861
XXX-in-reserved-e-class                           0                    0
ospf-deny                                           14135 
h323                                              8785570 
XXX-in-microsoft                       305199975828           5751955784
ms-exclude                                      424428929 
on-fire                                      173190029170 

I'm wondering whether this is really about router platform issue, and 
they want their customer including smaller ISPs to bill more because of 
these junk traffic.


Andrew Kirch wrote:
>> -----Original Message-----
>> From: owner-nanog at [mailto:owner-nanog at] On Behalf
> Of
>> David Schwartz
>> Sent: Wednesday, May 17, 2006 1:37 PM
>> To: nanog at
>> Subject: RE: private ip addresses from ISP
>>> Our router is running BGP and connecting to our
>>> upstream provider with /30 network.   Our log reveals
>>> that there are private IP addresses reaching our
>>> router's interface that is facing our upstream ISP.
>>> How could this be possible?  Should upstream ISP be
>>> blocking private IP address according to standard
>>> configuration?  Could the packet be stripped and IP be
>>> converted somehow during the transition? It happens in
>>> many Tier-1 ISP though !
>>> Thank you for your information
>> 	Do you mean:
>> 	1) You are seeing BGP routes for addresses inside private space?
>> 	2) You are seeing packets with destination IPs inside private
> space
>> arriving at your interface from your ISP?
>> 	3) You are seeing packets with source IPs inside private space
>> arriving at
>> your interface from your ISP?
>> 	If 1, feel free to filter them. You ISP probably uses them
>> internally and
>> is leaking them to you. Feel free to complain if you want.
>> 	If 2, make sure you aren't advertising routes into RFC1918 space
> to
>> your
>> ISP. If not, you should definitely ask them what's up.
>> 	If 3, that's normal. These are packets your ISP received that
> are
>> addressed
>> to you and the ISP is leaving to you the decision of whether to accept
>> them
>> or not. Feel free to filter them out if you wish. (It won't break
> anything
>> that's not already broken.)
> Sorry to dig this up from last week but I have to strongly disagree with
> point #3.  
>>From RFC 1918
>    Because private addresses have no global meaning, routing information
>    about private networks shall not be propagated on inter-enterprise
>    links, and packets with private source or destination addresses
>    should not be forwarded across such links. Routers in networks not
>    using private address space, especially those of Internet service
>    providers, are expected to be configured to reject (filter out)
>    routing information about private networks.
> The ISP shouldn't be "leaving" anything to the end-user, these packets
> should be dropped as a matter of course, along with any routing
> advertisements for RFC 1918 space(From #1). ISP's who leak 1918 space
> into my network piss me off, and get irate phone calls for their
> trouble.
> Andrew

More information about the NANOG mailing list