Hello, Private ranges defined in RFC1918 are standard internal "non-routable" addresses. These are the following ones : 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 This is only a convention. Any router is of course able route them (seems evident but not always to everyone...). As Jorge said, it's part of the responsibility of the ISP to filter those addresses. Interresting fact in the pasted traceroute below is that no intermediate router seems to filter them, which is very unhabitual if it is a public network. This could come from several possibilities : ISP : - no ACLs is configured on the ISP's router to filter private addresses (cardinal sin #1) - ACLs on ISP's routers are configured to check only destination addresses (nat done by 62.150.42.1 when requesting and return flow allowed because the check on the nated destination addresse (still 62.150.42.1) is correct). - those flows are permitted for debugging purposes (should be VERY temporary) DESTINATION NETWORK : - No inbound natting or filtering to internal active elements (cardinal sin #2) In other words, anyone could break-in destination network with a private address. Of course it would be possible to traceback the attacker, but simple filtering (osi level 3) could seriously increase network level security. Maybe some other things to say... Regards, laurent kempenaar Security Consultant -----Message d'origine----- De : Jorge Coll [mailto:jcat_private] Envoye : lundi, avril 07, 2003 5:22 A : Vineet Mehta Cc : pen-testat_private Objet : RE: Traceroute Question Sometimes ISPs assign their internal routers an IP in this address range (192.168.*.* / 10.*.*.* / etc). These addresses aren't uniquely addressable (i.e. you can't "ping" them from various locations and expect either a response, or a response from that particular host.) The routers (especially border ones) are supposed to be configured NOT to route these private ranges, so it is ok for them to use a non-public address on these routers. ~ ).(. -----Original Message----- From: Vineet Mehta [mailto:vineetat_private] Sent: Monday, April 07, 2003 4:20 AM To: pen-testat_private Subject: Traceroute Question Hi all, While trying to do traceroute on one of the server i get the following reply: $traceroute a.b.c.d 1 192.168.0.254 (192.168.0.254) 0.442 ms 0.397 ms 0.358 ms 2 62.150.42.1 (62.150.42.1) 1.951 ms 1.315 ms 1.249 ms 3 172.17.8.149 (172.17.8.149) 43.577 ms 23.481 ms 17.653 ms 4 border.qualitynet.net (195.226.227.1) 19.935 ms 20.902 ms 21.896 ms 5 isp.qualitynet.net (195.226.227.10) 19.928 ms 23.302 ms 21.839 ms 6 192.168.226.38 (192.168.226.38) 71.321 ms 282.457 ms * My Question is why I am getting 192.168.226.38 non-route able address output in traceroute reply? As far as i think these private address space is not route able on the internet. Any sugestions? Vineet -------------------------------------------------------------- <b>Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. </b> <b> -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. -------------------------------------------------------------- </b>
This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 08:40:46 PDT