[128783] in North American Network Operators' Group
Re: BCP38 exceptions for RFC1918 space
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Aug 16 07:03:00 2010
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: Your message of "Sun, 15 Aug 2010 19:02:50 +0200."
<87y6c7erlx.fsf@mid.deneb.enyo.de>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 16 Aug 2010 07:02:35 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1281956555_5254P
Content-Type: text/plain; charset=us-ascii
On Sun, 15 Aug 2010 19:02:50 +0200, Florian Weimer said:
> * Valdis Kletnieks:
>
> > On Sun, 15 Aug 2010 18:46:49 +0200, Florian Weimer said:
> >
> >> > And that connection that's trying to use PMTU got established across the
> >> > commodity internet, how, exactly? ;)
> >>
> >> ICMP "fragmentation needed, but DF set" messages carry the a addresses
> >> of intermediate routers which generate them (potentially in response
> >> to MTU drops) as source addresses, not the IP addresses of the peers
> >> in a connection.
> >
> > If any long-haul carriers are originating ICMP packets for other people's
> > consumption from 1918 addresses rather than addresses in their address space,
> > it's time to name-n-shame so the rest of us can vote with our feet and
> > checkbooks. There's no excuse for that in this day and age.
>
> What does "originating" mean? Creating the packets? Or forwarding
> them?
Either way, there's no excuse.
First off, remember that BCP38 and 1918 don't apply on your set of
interconnected private networks, no matter how big a net it is. You want to
filter between two of your private nets, go ahead. You don't want to, that's
OK to. The fun starts when those packets leave your network(s) and hit the
public Internet.
Now that we have that squared away...
Either that intermediate router originated the ICMP 'frag needed' packet, in
which case somebody needs to be smacked for originating a 1918-addressed packet
on the public internet, or it's forwarding the packet. And if it's forwarding
the packet, then somebody *else* needs to be smacked for injecting that packet
into the public internet.
What *possible* use case would require a 1918-sourced packet to be traversing
the public internet? We're all waiting with bated breath to hear this one. ;)
--==_Exmh_1281956555_5254P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFMaRrLcC3lWbTT17ARAq9zAKC89xd9x0S3SmX8pF16hruU2rKT/wCggAzM
hWlSFpi+RepAkmpMJP32Ggw=
=nWvn
-----END PGP SIGNATURE-----
--==_Exmh_1281956555_5254P--
