On 13/04/2010, at 2:37 PM, Florent Bouron wrote:
Well, we know that some sites run Net 1 behind a NAT when they should be running an RFC 1918 prefix. We also know that pretty much everbody is configured to drop RFC 1918 destination packets, but since Net 1 is a valid prefix there is no reason to drop it.
So the real question is probably: why are packets being sent to addresses that are behind NATs?
Put it this way, if a device that implement NAT, translates the 1/8 IP address to the real IPs the customer owns and has a subnet within 1/8 directly attached, but also participates in dynamic routing with border routers or ISP routers, whether you use NAT or not, the 1/8 network will be injected into the ISP's routing tables ...
With a poorly configured router at the ISP and the user's site, sure. However that doesn't explain why there are packets on the wider Internet that are destined to 1/8 addresses. I think Brian is right in suggesting peer to peer, and I imagine there are other things as well. For example, responses to packets sourced from 1/8 addresses. Perhaps there is a NAT somewhere that only NATs TCP, UDP and ICMP, and doesn't drop other protocols. Perhaps there is a botnet sending packets from 1/8 addresses, because that was a random address that the script kiddie that put it together came up with. There are any number of scenarios that could be causing traffic to 1/8. I'm not convinced it is operationally useful for us to know why this is happening, just that it is, and how to avoid it impacting us. If it's being caused by people using 1/8 when they shouldn't have, they'll have to fix it soon enough. It occurs to me that 1/8 could perhaps be primarily given to APNIC members who are asking for IPv4 space for dynamic end users. If the assumption that most 1/8 users are end users behind bad NATs is correct then impact is limited to preventing peer to peer between the two hosts, and most peer to peer systems have ways to minimise the negative impact of these situations, either with help from other hosts or alternative peers. If, however, someone got a 1/8 address for a web server or similar, then impact would be quite a bit worse. -- Nathan Ward