> Yup. Here's the traceroute from my home machine, on a microwave link:
>
> Tracing route to wwwwseast.usec.sun.com [192.9.49.30]
> over a maximum of 30 hops:
>
> 1 20 ms 20 ms 48 ms 192.168.200.1
BIG NETWORK SNIP
> 5 27 ms 27 ms 27 ms lmi.rtr.wavepath.net [205.158.140.194]
> 6 31 ms 32 ms 31 ms 192.168.5.2
BIG NETWORK SNIP
> 17 129 ms 135 ms 137 ms wwwweast.usec.Sun.COM [192.9.49.30]
Ok, so my original point was not who's right or wrong for setting up a
topology
as such, but that it can happen, and that it's possible for "accidental
spoofing", given
that there is no -real- way to stop people from making intermediary routers
use these
addresses. So basically, it's a vulnerability in the way the world has
decided to implement
IP. Ricochet's network does this too...fortunately only from ricochet user
to ricochet user.
> You'll notice 192.168.x.x used in two separate places. The first hop is
the far
> side of the route from my PC, i.e. I'm not using 192.168.200.x on my
Ethernet
> side.
But you could have been ;-)
>That's not the first time I've seen ISPs doing that, either.
>
> I consider this broken for an ISP. For exactly the same reason you point
out..
> What if one of the intermediate routers needs to send me an ICMP
unreachable
> of some sort? I'm perfectly within my rights to be useing 192.168.x.x all
over
> my private network.
I'll give you that, but we're not dealing with a user rights issue. We're
dealing with
an implementation issue - worldwide.
>I should be able to assume any packets from those addresses should be
> from inside hosts, and block them with anti-spoofing measures accordingly.
For you, that's fine. You understand packet filtering ACLs, etc...as do most
people on the list, but the thousands of typical small to medium size
businesses with administrators that haven't the foggiest idea
what a spoofed packet is, or how to configure routing and firewalling
equipment to discard it.
They had "the guy come out and install it." They "just take care of the
internal network and the servers"
I can't tell you how many times i've heard this stuff, and how many times
private addressing has been
in use. Whether or not the ISP is routing private nets is simply dependant
on which of the
1 gazillion plus ISPs you have chosen to use.
Matt
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
