Tuesday, 1 January 2019

router - Networking and routing of private IP ranges


Internet servers are not supposed to route private IP ranges such as 192.168.x.x.


How do they achieve this? Should an administrator enable a specific firewall rule on the router or is it coded in the hardware/firmware/kernel of the router?



Answer



Most ISPs will have hardcoded ACLs to prevent routing of private traffic. In the event they do not, the lack of a locatable return address will prevent these packets from going anywhere regardless. BGP (Border Gateway Protocol), the core routing protocol of the internet, only advertises public routes.


It is common to find an ACL similar to the following on internet-facing Cisco routers:


access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.0.255.255 any

This will block private addresses, including APIPA and loopback addresses from traversing a router interface after applied via an access-group.


The firmware on some SOHO routers has this functionality built-in.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...