On 2025-08-19 17:34, Sriram, Kotikalapudi (Fed) via NANOG wrote:
Question: Can a prefix be never routed on the Internet but used only
one-way for source address in IP packets?
You can have a prefix used for router interfaces, but not advertised to
the internet and still have them appear in traceroutes (send icmp
unreach ttl expired) using their interface IPs. One of my upstreams was
doing this for a long time, but they currently appear to now be
advertising the prefix in question - I suspect to avoid people filtering
the icmps from it.
Some other udp protocols including DNS in some contexts like some
resolver libraries doesn't actually care what IP a reply comes from.. so
it might send a request to one IP on a multihomed server and receive the
answer from a different IP (which could be unadvertised). I doubt there
are many intentional use cases for this, but there might be some stuff
limping along working that way because it works.
Generally I don't think people should be filtering this stuff - if
someone was doing something malicious - they could presumably just spoof
it from an advertised IP, but I also wouldn't be surprised if it's on
many best practice tickbox lists by now.. and I'm guessing you're
looking at adding it to another one.
-Rob
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/OBIAXOHHTSASL52INN4EVKM54HU2Z4UW/
