Saikat Guha wrote:
On Tue, 2006-07-04 at 19:25 -0400, Michael J Freedman wrote:
We don't really have such information. The problem you bring up is more
an issue of legal route advertisements and is somewhat orthogonal to NATs.
I assume from the above example that FastWeb probably isn't announcing
41.0.0.0/8 anymore given its re-allocation; if that is the case, it's
unclear to me how one could really differentiate between the two (when
coming from NATs) without a priori knowledge.
The FastWeb problem actually was not them hijacking an address block (by
illegally announcing it to the rest of the world), but rather them
allocating those 'reserved' IPs to their private DHCP users who were
behind an ISP-wide NAT. That NAT would translate the reserved address to
FastWeb's legal address space when the packet exited FastWeb but not
otherwise. Basically, instead of 192.168.x.y, they opted to use
non-private addresses. Certainly a configuration error (intentional or
otherwise). Last I heard, FastWeb did not intend to re-number their
private network -- so people in Turin still cannot get to Africa even if
the African server is on a public address.
I don't understand how this could be the case. If they are using an
ISP-wide NAT then I assume the
public facing address of the NAT is legitimate, in which case the DHCP
allocated addresses have no effect
on public routing. If the source address is not NAT'd to an address
owned by the ISP then all the return
traffic should be returned to the ISP advertising the prefix. What your
describing sounds like a problem with
incomplete NATing, e.g. they have a private peering agreement with
Africa on which the traffic is not NAT'd.
Certainly this is a *NAT* configuration error as connectivity would not
be restored if using addresses from
reserved private space.
One way to detect such errors may be to check if the internal IP is
non-private, the external IP is non-private, and they are from address
blocks belonging to different (or non-existent) AS's.
It turns out that this is often the case, however, generally the public
IP address belongs to a legitimate proxy.
It may be interesting to consider L3 NATs only as they must appear
on-route which is less likely to be owned
by a different entity in the regisitry ... its a good thought.
btw, do you know FastWeb's public address block? We can poke through our
data and see if we have
anything on it.
.martin
_______________________________________________
p2p-hackers mailing list
[email protected]
http://lists.zooko.com/mailman/listinfo/p2p-hackers
