Packets from 10.0.0.0/24

James Wilkinson fedora at aprilcottage.co.uk
Thu Feb 16 19:38:31 UTC 2012 

Bruno Wolff III wrote:
> While it is possible you are receiving packets that claim to come from
> 10.*.*.* addresses, most likely the source is local to your network.

Tim wrote:
> Or, perhaps, internal to your ISP.  To get an attempt from an address
> like that, it'd have to be on one side of the other of your connection,
> no further away.

Actually, that isn’t necessarily true.

If you can put packets on the Internet coming *from* a 10.*.*.* address
and going *to* a routable address, they’ll probably get through fine.
There’s no way of responding to them, of course, so you can’t do TCP/IP
connections.

One legitimate case where this can happen is if an ISP uses 10.*.*.*
addresses for internal routing:
    internet <---> gateway router <---> internal router <---> computers
       public addresses         10.*.*.*          public addresses

(Note there’s absolutely no NAT in this scenario. All packets retain the
same publicly routable source and destination IP addresses right across
the network.)

Custom routes on the gateway and internal routers make this Just Work in
exactly the same way as it would if the ISP had used public addresses.
Normally, no-one will notice in the slightest, but if you traceroute a
computer on this network, you should receive responses from the 10.*.*.*
address of the internal router.

Of course, the internal router can’t make its own TCP/IP connections to
the Internet, but you wouldn’t want it to anyway.

It’s possible for other ISPs to drop these packets, of course, but most
(?) don’t for three reasons (at least for packets that haven’t come from
their own network):
 * there are legitimate reasons why an Internet connection might have
   very different outbound and return routes (especially where you have
   asymmetric costs or bandwidth), and breaking those connections will
   cost the ISP in support calls,

 * that means you can already send packets across the Internet with fake
   sender IP addresses: blocking a few of them doesn’t exactly stop
   trouble,

 * it means extra work for their engineers and routers.

Hope this helps,

James.

-- 
E-mail:     james@ | … you don’t know who else your internet partner is
aprilcottage.co.uk | chatting with.  There’s nothing worse than a Turing
                   | Test coming back positive for chlamydia.
                   |     – http://blag.xkcd.com/2009/09/05/

More information about the users mailing list