OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Strange traceroute
From: Rob Quinn (rquinnSEC.SPRINT.NET)
Date: Tue Feb 08 2000 - 07:31:10 CST

> As I mentioned in some of my previous posts, some people use private IP range
> IP addresses [...] it works in most cases and doesn't interfere with anything
> but traceroute [...]

 These routers could be sending you ICMP messages. If you're filtering external
reserved IP's you'll miss those packets. Check out
http://www.worldgate.com/~marcs/mtu/, "Path MTU Discovery and Filtering ICMP".
The last paragraph:

> So how can using RFC 1918 addresses for router links cause problems?
>
> On many routers, a separate IP address in the same subnet is required for
> each end of a point to point link. This can use address space if there are a
> large number of such links. Since the actual address of the links doesn't
> appear to impact much, many people use RFC 1918 private address space for
> such links. The blocks included in this are:
> 10.0.0.0 - 10.255.255.255 (10/8 prefix)
> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
> If you are using such addresses, then ICMP messages (including "can't
> fragment" errors) will normally be generated using such addresses. Since many
> networks filter incoming traffic from such reserved addresses, the net result
> is the same as if all ICMP were being filtered and can cause the same
> problems. 

--
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                    rquinnsec.sprint.net |
|                                                Sprint Corporate Security |