Why is it useless to filter traffic originating from private address
space on internet routers?

1. Does not prevent spoofing.

Private space constitutes only 0.4% of the spoofable address space. As
many as 4.27 billion spoofable addresses remain.

2. Filters legitimate traffic.

Though technically improper, legitimate internet traffic does originate
from private address space. A case in point is a traceroute that
transits a privately addressed network, a perfectly functional
configuration within an autonomous system.

In article <1163880047.91045.6.camel@dm.deadghost.com>,
Dom <invalid@invalid.invalid> wrote:
>Why is it useless to filter traffic originating from private address
>space on internet routers?

>1. Does not prevent spoofing.

>Private space constitutes only 0.4% of the spoofable address space. As
>many as 4.27 billion spoofable addresses remain.

But the private addresses get used over and over and over.


>2. Filters legitimate traffic.

>Though technically improper, legitimate internet traffic does originate
>from private address space. A case in point is a traceroute that
>transits a privately addressed network, a perfectly functional
>configuration within an autonomous system.

No, that is not legitimate traffic on the Internet. If the network
edge does not NAT the returning IP address before it reaches the
Internet, then the network address translation is broken, and there
is no need for the public network to cater to broken internal networks.

If you are a network administrator of the affected network, then you
have a number of different potential mechanisms to trace down the
problem. If you are not a network administrator of the affected
network, then turn the issue over to the appropriate network admin
for resolution.


>Why is it useless to filter traffic originating from private address
>space on internet routers?

It is useless to *permit* such traffic on the public internet.
The only possible use for such traffic would be for packets that do not
expect (or want!) a reply. There is a lot of room for abuse with
such anonymous packets, and nearly every legitimate use can be replaced
by a case of using a legitimate IP address. (What legitimate uses
remain? Possibly "call home" packets for tracking stolen objects, but
even that gets somewhat dubious.)

On Sat, 18 Nov 2006, in the Usenet newsgroup comp.protocols.tcp-ip, in article
<1163880047.91045.6.camel@dm.deadghost.com>, Dom wrote:

>2. Filters legitimate traffic.

What legitimate traffic? Tell us how you can establish a "two-way"
connection to an RFC3330 address. Tell us how you can send _ANYTHING_
to a RFC3330 address over the Internet.

>Though technically improper, legitimate internet traffic does originate
>from private address space. A case in point is a traceroute that
>transits a privately addressed network, a perfectly functional
>configuration within an autonomous system.

Except that you have no legitimate reason to even attempt to connect to
such a system, so why should someone waste a "real" IP address on something
that no one _can_ connect to? While it's not impossible for a router using
an RFC1918 address from generating an ICMP error (traceroute counts on this),
it's not common in "normal" operation, and ICMP errors are the ONLY possible
traffic that can be sent.

Old guy

In article <1163880047.91045.6.camel@dm.deadghost.com>,
Dom <invalid@invalid.invalid> wrote:
>Why is it useless to filter traffic originating from private address
>space on internet routers?
>
>1. Does not prevent spoofing.
>
>Private space constitutes only 0.4% of the spoofable address space. As
>many as 4.27 billion spoofable addresses remain.

Huh??? How many hosts (user machines, home routers, etc) out there
would you guess have a 192.168.1.0/24 IP address?

--
-- Rod --
rodd(at)polylogics(dot)com