Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
1
Helpful
16
Replies

How does the ISP filter private IP addresses?

Go to solution
Mitrixsen
Level 1
Level 1

‎01-27-2025 03:04 AM - edited ‎01-27-2025 03:09 AM

Hello, everyone.

I am studying for my ENCOR exam and my current topic is NAT. From my CCNA studies, I understand that private IP addresses aren't routable. The ISP will drop traffic destined to these addresses and also traffic that is sourced from these addresses.

My question is, how exactly is this implemented from the ISP's side? I would like just a quick high-level overview if possible. The routers must have some sort of filtering applied, correct? And whatever is filtering this traffic also  has to read the source.

Thank you

David

//Edit: Does this filtering only check whether the destination IP is a private IP address (thus it should be dropped) or does it also check the source? That's something that I am unsure about.

Labels:
0 Helpful
16 Replies 16

Go to solution
M02@rt37
VIP
VIP
In response to Devaa

‎01-27-2025 06:57 AM - edited ‎01-27-2025 06:58 AM

Hello @Devaa 

uRPF  is more related to protect a BGP router, 'BGP speaker', from DoS attacks that employ source IP spoofing in the data plane.

To go further concerning uRPF, an attacker can send IP packets with a spoofed or randomly changing source address to the destination, consuming resources and causing a DoS attack. These attacks are possible because routers only check for a destination IP address before forwarding IP packets, not the source address. 

To sum up: uRPF checks if an entry exists in the routing table matching the source IP before forwarding...

 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Devaa

‎01-27-2025 07:17 AM

uRPF might be used, but if used, it needs to be used with extreme care, as it's not just a question that a router doesn't have a route for the source destination, but whether that the ingress packet arrived on an interface that would be used as an egress interface if sending to the source IP.  Basically it assumes symmetrical routing, and, of course, real routing can be asymmetric for various reasons.

That noted, uRPF, might be just fine with a PE interface to a CE, when there's only one such link to the customer.

0 Helpful
Customers Also Viewed These Support Documents