What's the BCP/RFC that says that routers within an ISP network should not have RFC1918 link IPs? - NZNOG - lists.nznog.org

newer
IANA AS Numbers registry update

What's the BCP/RFC that says that routers within an ISP network should not have RFC1918 link IPs?

older
[OT] {Humour} NCSC.govt.nz...

Matt Grant

26 Feb 2014 26 Feb '14

3:51 a.m.

Hi! Know I am some small fry on the list, but your help would be appreciated. This would be useful in talking to my ISP about some PMTU issues that I am having re a VPN going over PPPoE, with MTU 1480. Thanks! Matt Grant

Reply

Sign in to reply online Use email software

Show replies by date

Mike Cooper

26 Feb 26 Feb

3:55 a.m.

http://lmgtfy.com/?q=What%27s+the+BCP%2FRFC+that+says+that+routers+within+an... HTH On Thu, Feb 27, 2014 at 11:51 AM, Matt Grant wrote:

Hi!

Know I am some small fry on the list, but your help would be appreciated.

This would be useful in talking to my ISP about some PMTU issues that I am having re a VPN going over PPPoE, with MTU 1480.

Thanks!

Matt Grant

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Dave Mill

4 a.m.

As a slightly more serious reply (though Mike's URL did work surprisingly well..) I would assume we are going to see more and more RFC1918 addresses used by ISPs as IPv4 runs out and CGN is used more. I'm aware of at least 3 ISPs in NZ doing this (we're one of them to some extent with a couple of our prepay products) and I'd expect there are more. Cheers Dave On Thu, Feb 27, 2014 at 11:55 AM, Mike Cooper wrote:

http://lmgtfy.com/?q=What%27s+the+BCP%2FRFC+that+says+that+routers+within+an...

HTH

On Thu, Feb 27, 2014 at 11:51 AM, Matt Grant wrote:

...
Hi!

Know I am some small fry on the list, but your help would be appreciated.

This would be useful in talking to my ISP about some PMTU issues that I am having re a VPN going over PPPoE, with MTU 1480.

Thanks!

Matt Grant

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Neil Fenemor

4:13 a.m.

As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it. -- Neil Fenemor | +64 21 978 078 | Facetime | Skype On 27 February 2014 at 12:00:57 pm, Dave Mill (davemill(a)gmail.com) wrote: As a slightly more serious reply (though Mike's URL did work surprisingly well..) I would assume we are going to see more and more RFC1918 addresses used by ISPs as IPv4 runs out and CGN is used more. I'm aware of at least 3 ISPs in NZ doing this (we're one of them to some extent with a couple of our prepay products) and I'd expect there are more. Cheers Dave On Thu, Feb 27, 2014 at 11:55 AM, Mike Cooper wrote: http://lmgtfy.com/?q=What%27s+the+BCP%2FRFC+that+says+that+routers+within+an... HTH On Thu, Feb 27, 2014 at 11:51 AM, Matt Grant wrote: Hi! Know I am some small fry on the list, but your help would be appreciated. This would be useful in talking to my ISP about some PMTU issues that I am having re a VPN going over PPPoE, with MTU 1480. Thanks! Matt Grant _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Lloyd Parkes

5:52 a.m.

New subject: What's the BCP/RFC that says that routers within an ISP network should not have RFC1918 link IPs?

On 27/02/2014, at 12:13 pm, Neil Fenemor wrote:

As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it.

Is there anyone here who has had to choose between CGN and dual-stack lite and is willing to say why they made the choice they did. I’m familiar with the various possible issues and I’m interested in hearing about what people’s actual issues have been. Cheers, Lloyd

Reply

Sign in to reply online Use email software

Lindsay Hill

6 a.m.

The key problem with DS-Lite that I see is that it requires CPE config - it's just too much hassle. Seems to be easier to go for CGN (with all the problems that entails). On Thu, Feb 27, 2014 at 1:52 PM, Lloyd Parkes

wrote:

On 27/02/2014, at 12:13 pm, Neil Fenemor wrote:

As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it.

Is there anyone here who has had to choose between CGN and dual-stack lite and is willing to say why they made the choice they did. I'm familiar with the various possible issues and I'm interested in hearing about what people's actual issues have been.

Cheers, Lloyd

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Nathan Ward

7:46 a.m.

New subject: What's the BCP/RFC that says that routers within an ISP network should not have RFC1918 link IPs?

Yeah, DS Lite requires CPE support, so it’s a non-starter for most NZ providers. Last time I looked at it, which was a few years ago admittedly, there was no backwards compatibility - a provider had to transition all customers to DS-L, and IPv4-only service was no longer possible. Its key benefit is to “eliminate” double IPv4 NAT, but, that isn’t important and it doesn’t actually achieve it. I looked at some data with someone (who I won’t name but they might like to implicate themselves) that showed that something like 20% of outbound packets from a medium sized NZ ISP had a set of TTL values that indicated double-NAT (or an extra routing hop but that doesn’t seem that likely), in the customer premise. Something like 3% had more than two. That’s % of packets, not % of users. I’m unsure whether it’d be higher or lower if it were % of users. Anyway, given that, it’s my view that an extra NAT hop isn’t going to negatively impact the majority of customers. Sure, it’s bad for the Internet etc. etc. but we’re already there and almost all applications deal with it already. If a customer needs a “port forward”, they’re not going to get that with DS-Lite any easier than they are with an extra NAT hop in the ISP. On 27/02/2014, at 2:00 pm, Lindsay Hill wrote:

The key problem with DS-Lite that I see is that it requires CPE config - it's just too much hassle. Seems to be easier to go for CGN (with all the problems that entails).

On Thu, Feb 27, 2014 at 1:52 PM, Lloyd Parkes wrote:

On 27/02/2014, at 12:13 pm, Neil Fenemor wrote:

...
As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it.

Is there anyone here who has had to choose between CGN and dual-stack lite and is willing to say why they made the choice they did. I’m familiar with the various possible issues and I’m interested in hearing about what people’s actual issues have been.

Cheers, Lloyd

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

TreeNet Admin

4:19 p.m.

Meanwhile in a retail shop near you sit at least two, maybe three, brands of CPE devices for general sale with built-in IPv6. I have been sold two ADSL2+ modem/wifi/routers in the last 6 months that seemed to be wanting to accept IPv6 assignment from ISP (Belkin and Netgear). Sadly ISP did not supply and helldesk says "we dont have any plans to provide that", so it defaults to off with no way to tell if CPE fully works or not. The 6to4 mapping on the Netgear seems to work a treat anyways when manually enabled, so me customers happy enough for now. Anyone familiar with the latest (in)compatibility reasons for that lack of service on NZ provider networks using the currently available CPE? AYJ

Reply

Sign in to reply online Use email software

Lindsay Hill

27 Feb 27 Feb

2:10 a.m.

Anyone familiar with the latest (in)compatibility reasons for that lack of service on NZ provider networks using the currently available CPE?

It's not really about lack of CPE compatibility - ISPs could just start offering v6 to all customers, same as Snap currently does. Then it's up to the CPE to request a PD via DHCPv6 (or not). It's more about having all the other bits in place - at a pure network level it's pretty straightforward, but it's all the associated management pieces (accounting, static allocations, etc) that take time. There's also some nervousness about possible problems that might be caused by misconfigured systems. I think it's unfounded nervousness, similar to concern over switching on DNSSEC validation. But I'm not the only one to have a say in it. Not to mention funding/prioritisation issues, but I don't really want to go there. On Fri, Feb 28, 2014 at 12:19 AM, TreeNet Admin wrote:

Meanwhile in a retail shop near you sit at least two, maybe three, brands of CPE devices for general sale with built-in IPv6.

I have been sold two ADSL2+ modem/wifi/routers in the last 6 months that seemed to be wanting to accept IPv6 assignment from ISP (Belkin and Netgear). Sadly ISP did not supply and helldesk says "we dont have any plans to provide that", so it defaults to off with no way to tell if CPE fully works or not. The 6to4 mapping on the Netgear seems to work a treat anyways when manually enabled, so me customers happy enough for now.

Anyone familiar with the latest (in)compatibility reasons for that lack of service on NZ provider networks using the currently available CPE?

AYJ

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Richard Patterson

26 Feb 26 Feb

8:12 p.m.

We're rolling out CGN with PCP[1,2] to help mitigate some of the risks involved, however applications may have to adapt to make proper use of it, as it doesn't work too well currently. Things like uTorrent pick a port and then keep requesting it with UPnP even if it keeps failing, instead of trying a new one. Our particular vendor's PCP implementation dedicates a block of ports to be used for PCP MAPs, and the client cannot use a port outside of that block, not even a port that's been reserved for that subscriber's SNAT block. Thankfully the range we've allocated will include the XBox Live port (3074), but that is then only good for the first subscriber that sends a PCP MAP, subsequent attempts from subs behind the same IP will fail. There is a UPnP function, AddAnyPortMapping() as specified in IGD:2, that when translated into a PCP MAP will prefer a port, but if unavailable will accept any offered by the PCP server. However all of our Broadcom chipset based CPEs don't support it, and I have no idea how many applications would use it either. We'll only be deploying CGN in conjunction with dual stacked IPv6 in an attempt to offload traffic off CGN and also mitigate the risks. That then introduces new issues like do we leave the IPv6 firewall on by default? And do any applications support the the the WANIPv6FirewallControl [3] UPnP features to open up pinholes dynamically? Oh wait, that's part of IGD:2 which our CPEs don't support. :( FWIW: We're looking at leaving the IPv6 firewall on by default, but allowing IPSec[4] to all internal hosts, following the XBox One P2P approach[5]. Things aren't necessarily easier even when you have in-house CPE developers. Apologies for the rant! -Richard Appropriate links: [1] PCP: https://tools.ietf.org/html/rfc6887 [2] UPnP<->PCP Interworking Function: http://tools.ietf.org/search/rfc6970 [3] http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf [4] IPv6 Security Suggestions: https://tools.ietf.org/html/rfc6092 [5] XBox One presentation at NANOG: http://www.youtube.com/watch?v=VSjljW4clPM On Thu, Feb 27, 2014 at 12:52 AM, Lloyd Parkes < lloyd(a)must-have-coffee.gen.nz> wrote:

On 27/02/2014, at 12:13 pm, Neil Fenemor wrote:

As an ISP'll end up with collisions with their customers if RFC1918 space is used for their intermediary/ISP portion of NAT444, a new /10 (specifically 100.64.0.0/10) was allocated for this use. RFC6598 details the allocation, and the use cases for it.

Is there anyone here who has had to choose between CGN and dual-stack lite and is willing to say why they made the choice they did. I'm familiar with the various possible issues and I'm interested in hearing about what people's actual issues have been.

Cheers, Lloyd

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Ben Aitchison

4:08 a.m.

I think the general idea is that you shouldn't rely on PMTU. Even with PPPoE you should be able to raise the MTU to at least 1492 and sometimes 1500. Ben. On Thu, Feb 27, 2014 at 11:51:40AM +1300, Matt Grant wrote:

Hi!

Know I am some small fry on the list, but your help would be appreciated.

This would be useful in talking to my ISP about some PMTU issues that I am having re a VPN going over PPPoE, with MTU 1480.

Thanks!

Matt Grant

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Joe Abley

10:41 p.m.

New subject: What's the BCP/RFC that says that routers within an ISP network should not have RFC1918 link IPs?

On 26 Feb 2014, at 17:51, Matt Grant wrote:

Know I am some small fry on the list, but your help would be appreciated.

The BCP you’re looking for is called RFC 1918. The devices you see numbered out of RFC 1918 address ranges require global network-level communication. If you need examples of what communication is reasonably required, you can cite RFC 792 (e.g. ICMP type 3 code 4, which is what is biting PMTUd, or ICMP type 11 code 0, which is what will bite traceroute). You could also just acknowledge that no number of RFC citations is going to change anybody’s mind, and resort to hacks like in-band MSS reduction to give your TCP segments a fighting chance of traversing the RFC 1918 wasteland without hitting an interface MTU limit. The reality is that ICMP is so over-filtered across the world that relying on correct operation with a depressed MTU is mainly just a game of whack-a-mole. The only way to win is not to play. Joe

Reply

Sign in to reply online Use email software

3951

Age (days ago)

3952

Last active (days ago)

Download

11 comments

11 participants

tags

participants (11)

Ben Aitchison
Dave Mill
Joe Abley
Lindsay Hill
Lloyd Parkes
Matt Grant
Mike Cooper
Nathan Ward
Neil Fenemor
Richard Patterson
TreeNet Admin