[wellylug] Routing the unroutable, aka 10.0.0.0/8

Christian Gagneraud chgans at gna.org
Fri Sep 26 15:50:31 NZST 2014


On 26/09/14 10:38, Ewen McNeill wrote:
> On 25/09/14 18:04, Christian Gagneraud wrote:
>> I was having network problems on our local network, while
>> troubleshooting I realise that from here I can access lot of address
>> belonging to the (theoretically not routed) private network 10.0.0.0/8
>> [10.0.0.0/8 linknet in the middle of traceroutes]
>
> The problem is with the "theoretically" not routed.  Back in the old
> days when there were lots more IPv4 addresses than people who wanted
> them, everything was numbered with globally unique IP addresses.  Which
> worked well, when there were abundant IP addresses just for the asking
> (literally when I first started using the Internet you could get a /24
> just by saying "hi, I'd like some IP addresses please" -- and more with
> some indication of how you'd use them).
>
> Starting 10-15 years ago this stopped being true.  So increasingly
> people started numbering "internal" things with "site-local" addresses.
>   For ISPs, the linknets between their routers are -- sort of --
> internal: they don't really need to talk to the outside world directly.
>   So at least 10+ years ago some ISPs started using RFC1918 address
> space for their router linknets, to conserve IPs (IIRC I first saw Xtra
> doing this around 2000).
>
> The trouble is that ISPs have customers.  And router linknets can appear
> in traceroutes, like the one you're doing.  So RFC1918 addresses
> randomly in the middle of traceroutes causes either (a) confusion, or
> (b) gaps (if your border firewall blocks RFC1918 addresses from the
> Internet).

Not only Firewall, what about BGP and co? How do you announce to the 
world that 10.X.Y.Z belongs to your AS, when these IP address are 
supposed to be private?

Another weird stuff I found recently is people claiming IP adresses from 
the 127.0.0.0/8 block, eg:
127.0.53.53 has been assigned a huge amount of domains with exotic tld, 
Check for example the valid domain "wikileaks.google" 
(https://www.robtex.com/en/advisory/dns/google/wikileaks/#records)

Of course if you traceroute or ping this address you end up on your 
loopback interface. Nonetheless:
$ dig wikileaks.google A
[...]
;; ANSWER SECTION:
wikileaks.google.       3600    IN      A       127.0.53.53
[...]
$ traceroute wikileaks.google
traceroute to wikileaks.google (127.0.53.53), 30 hops max, 60 byte packets
  1  127.0.53.53 (127.0.53.53)  0.037 ms  0.014 ms  0.013 ms
$

...


>
> Unfortunately demand for IPv4 addresses is even higher now, and there
> are no more IPv4 addresses to be able to give everyone the ample volume
> they want.  So it doesn't surprise me that more and more ISPs end up
> using RFC1918 addresses in ways that are visible in some situations. For
> a while longer the ones taking extra care can probably carefully hide
> that use from outside visibility (eg, reply with loopback address, which
> may still be one-public-IP-per-router).  But I expect private addresses
> will leak out more and more over the next couple of years, anywhere that
> doesn't require bidirectional end-to-end communication.
>
> TL;DR: nothing to see here, move along.
>
> Ewen
>
> PS:
>
>> Now if i scan the same subnet several time in a row, i don't get the
>> same result, weird!
>
> There are probably multiple, equal cost, paths the traffic can take at
> that point.
>
>



More information about the wellylug mailing list