Hi Shrikantdandin,

Thanks for replying.

Can i summarize to say that

1) if the ISP router did not do any filtering, the packet can still be routed out (1 direction) to the destination

2) the destination however, will not be able to route the packet back as

     a) its router will not have route to an "internal" network, even if there is, it is to their own "internal network"

    b) private networks are not advertised between loops (routers) in the internet; hence there is no way the reply packet can reach back the source.

Am I right ?

Regards,
Noob

Thanks guys!

The key point here is that routers that are sat on the internet and exchanging routes will not advertise or accept advertisements containing private address space - it is something service providers must be very careful to avoid.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

On point two, destination and transit ASs might also have private network space in their routers, which might overlap with what you've sending from.

As other posters have noted, normally measures are taken so that packets containing private IPs are not exchanged between ASs. If an AS is "sloppy", i.e. it forwards to the valid destination, packets being returned, with private IPs, will either be dropped as an unknown destination or routed to a local private network.  (NB: unknown destinations might transit across several routers following a default route path.)

As others have also noted, your outbound packets might be delivered, but they might not too, because they might be filtered or reverse path checked (http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html), even at the first ISP router.

Hi Jospeh,

Duly noted. Thanks.

As you mentioned, ASs might private network space in their router and packets being returned, with private IPs, will either be dropped as an unknown destination or routed to a local private network

--  what will happen if the original packet is using the same private network space and the packet is being routed to the AS's own local private network instead ?

Regards,

Noob

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Well, as Jon has already noted, packet is forwarded only by its destination IP.  Which means, if the original packet has only a private IP in its source address, it won't be involved in the forwarding decision.  (Again,  the source IP might still be subjected to analysis that will block the packet at some point.)

So, your private IP will only be a routing consideration if the receiving host is trying to reply and use your original source IP as the return packet's destinations IP.  (I suspect you understand the foregoing, but I did want to insure there's no misunderstanding.)

Ok, so if the original destination host generates a packet with a private IP for destination IP, it would be (most likely be) treated, from that host, like any other packet that host generates with a private IP in the destination.  I.e.  The network will attempt to deliver it.

If the prefix destination is totally unknown, the packet will be dropped unless the forwarding router has a default route (or aggregate) that covers it.

Assuming there's a local private subnet, that matches the destination, the network will deliver it to that network, and if there's a host with that actual private IP, the packet will be delivered to it.  Usually, the overlapping private IP host will drop the packet, as it won't have process expecting the packet, but it's possible, a process is might accept the packet and attempt to process it.  Then, most likely, the process will go "huh?" and drop the packet.  However, it's also possible the newly receiving host will reply to your original receiving host, i.e. those hosts will now fling packets back-and-forth, because of your original packet.  Again, this is all very unlikely normally, more so if the network isn't "sloppy", but such routing is the basis for some DDoS attacks. (For example, I place another host's IP in my packet's source IP, and then send out ping to the network broadcast IP.  Hosts receiving the ping will send a ping reply to the host I targeted.)

Hi Jospeh,

Yeap,  thanks for double confirming (yeap i understand the foregoing that routing decision is base on the destination ip).

I am just curious what if the packet has reached the destination network and there's a local subnet that matches the private src ip which you have already mentioned on what will probably happen ("huh" and drop packet ;))

At the same time, its cool to know that DDos attack are actually using "Fake" src IP which is actually the target IP of the attack.

=======

Just curious Joseph, when we send a ping to a broadcast address, what is the
"actual device" that will actually broadcast the packets out to all recipients in the subnet ?  

I would assume that the router will just check if the destination ip is a directly connected network to it, and send out the packet as intended, but it will be the switch that will check on the L2 broadcast and propagates out the frames to all ports .. which then the individual end devices will check if it is a .255 broadcast IP and replies to it.  Hence i can also say that all L3 broadcast are L2 broadcast as well.

Am i right ?

Regards,
Noob

Unicast Reverse Path Forwarding is one of the methods for mitigating against such attacks:

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

It might, one of the reasons I mentioned it (with reference link) in my first post.  ;)

Oops missed that ;)

Laugh - only yanking your chain a little - it's very easy to miss something already mentioned in another person's posts.  Personally, I sometimes cringe replying to a question when I see there's already lots of posted replies I need to read through.

Yes and often you read through a whole thread and you see 8 people saying the same thing...