[atlas] All-Probe Traceroute + detect RFC1918 addresses

Jeroen Massar via ripe-atlas <ripe-atlas at ripe.net> writes:

> If one sees RFC1918 in a traceroute (especially >5 hops away, thus
> just not the client->CPE hops), it indicates that every hop in the
> middle is not filtering at least RFC1918; more likely they are thus
> just doing any kind of reverse prefix filtering aka the largest part
> of BCP38.

To be difficult again.... But I don't think you can make that assumption
unless you are able to detect that the ICMP errors cross some network
border.  Using RFC1918 on links in your own network is fine. And having
them show up in traceroutes is a feature.

To illustrate, this a traceroute from a standard mobile netowrk access
to one of the DNS resolvers used from that access:

bjorn at miraculix:~$ traceroute -e 130.67.15.198
traceroute to 130.67.15.198 (130.67.15.198), 30 hops max, 60 byte packets
 1  77.16.1.8.tmi.telenormobil.no (77.16.1.8)  435.127 ms  644.941 ms  644.890 ms
 2  ti0006c360-ae17-0.ti.telenor.net (146.172.18.85) <MPLS:L=18694,E=2,S=0,T=1/L=26,E=2,S=1,T=1>  653.783 ms  653.735 ms  653.686 ms
 3  ti0300c360-ae4-0.ti.telenor.net (146.172.23.174) <MPLS:L=844,E=2,S=0,T=1/L=26,E=2,S=1,T=2>  653.638 ms  653.592 ms  653.543 ms
 4  10.67.115.189 (10.67.115.189)  653.481 ms  653.432 ms  653.383 ms
 5  * * *
 6  ti0001a401-ae18-21.ti.telenor.net (213.142.76.153)  653.270 ms  206.020 ms  32.959 ms
 7  ti0275c360-ae49-0.ti.telenor.net (146.172.22.98) <MPLS:L=8866,E=0,S=1,T=1>  33.781 ms  32.122 ms  35.930 ms
 8  ti0275a400-ae1-0.ti.telenor.net (146.172.101.94)  37.812 ms  40.701 ms  40.666 ms
 9  ns11.e.nsc.no (130.67.15.198)  40.628 ms  40.591 ms  40.555 ms


So you can see the RFC1918 address on one of the links between the VPN
with the PGW and the Internet.  So what?  It's still one ISP.  And much
more useful info than hop number 5.



Bjørn