This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] All-Probe Traceroute + detect RFC1918 addresses
- Previous message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
- Next message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Fri Sep 17 16:29:06 CEST 2021
Hi, On Fri, Sep 17, 2021 at 04:17:47PM +0200, Bjørn Mork wrote: > > Section 5: > > > > It is strongly recommended that routers which connect enterprises to > > external networks are set up with appropriate packet and routing > > filters at both ends of the link in order to prevent packet and > > routing information leakage. > > > > I think that speaks very clearly about "you can do in your network > > whatever you want, but nobody else wants to see that" > > This fails to consider the situation where you are using RFC1918 > addresses on that link, which is common for mobile network access today. It doesn't. It is very clear that *if* you do, it's your responsibility to ensure ICMP packets are not sent from a RFC1918 address. This is not a fault in the RFC, it's a fault in the way these people build their networks. > My example didn't make that clear, but the traceroute probes are sent > from an RFC1918 address: > > bjorn at miraculix:~$ ip route get 130.67.15.198 > 130.67.15.198 dev wwan0 src 10.82.241.88 uid 1000 > cache > > So you should drop packets using RFC1918 addresses on that link? "What happens inside your network happens inside your network" (and the RFC explicitly permits that, of course), but we do not want to see it on someone else's network. > > Given the age of the document, the language used to be less STRONG > > back then. > > Sure. Assigning RFC1918 addresses to customers was also unheard of, and > didn't even need to be mentioned. If that is CGN'ed, it's not violating the RFC. Leaking packets from addresse that do not belong to you does. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: </ripe/mail/archives/ripe-atlas/attachments/20210917/69950e4c/attachment.sig>
- Previous message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
- Next message (by thread): [atlas] All-Probe Traceroute + detect RFC1918 addresses
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]