Tuesday, September 20, 2011

Gotta keep'm separated

Ran into an oddball network issue where an ISP and their upstream are routing private IPs in the range 172.16/12. They aren't advertising bogons to the world at large (I checked), but quietly routing private IPs that appear to comprise a portion of the upstream's management network.

My local environment is two LANs, one on 10.0.0/8, NAT'd to the public Internet and the other on 172.16.0/12 with all manner of Linux and embedded devices hangin' on it. There's a Windows machine that straddles the networks using 2 separate NICs. A cohort noticed the problem at the Windows box when he tried to telnet to a device of his on the 172.16 LAN and got a login prompt for an ADVA Optical Networking device somewhere in the Outernet instead. A traceroute quickly comfirmed that he wasn't going nuts. I guess it ain't up to me to tell an ISP that it's bad mojo to expose their network management nodes to their customers (downstream ISP) and *their* customers (me), but hey, this is mucking with my network! 172.16 is private and I should be able to use any part of it without fear of colliding with someone else's IPs anywhere out on The Internet.

I emailed the NOC POCs of both networks and got responses, so they'll probably work something out. In the meantime, I needed a way to corral my own two networks and keep'm separated. The Windows 'route' command seemed to fit the bill. It ain't exactly like the Linux route command, but with a little reading and testing, I came up with this:

1) Get a command prompt

2) > route PRINT

3) find the numbers (left column) of the interfaces on the main (outside) LAN and the development (inside) LAN

4) Restrict main LAN interface to 10/8:

> route ADD 10.0.0.0 MASK 255.0.0.0 10.0.0.1 METRIC 1 IF [main LAN interface#]

5) Restrict development LAN to 176.16/12:

> route ADD 172.16.0.0 MASK 255.240.0.0 0.0.0.0 METRIC 1 IF [development LAN interface#]

That seemed to do the trick.


So, problem averted but not really solved. How common is it for ISPs, small or large, to route private IP space within their networks and even between their peers and downstream networks?

1 comment:

  1. After a bit of followup research, it turns out to be quite common that ISPs "route" some private IPs within their network because, hey, it's their private network!

    This situation was unique in that I, connected to a local/regional ISP, was able to see private IPs that belong to one of my ISP's upstream providers. It is one thing to be able to see hosts with private IPs on the local intranet; they are letting me use their private network, after all. It is not so kosher that I should see private IPs on someone else's intranet - that is the definition of routing between intranets (internetworking).

    ReplyDelete