I was under the impression that 172.16.x.x-172.31.x.x addresses were used for private ip addresses like the 192.168.x.x addresses are. I also thought that meant they're not routable. The other day while I was helping someone they pinged me and the return address on their packets was 172.16.x.x. They were several hundred miles away so their packets had to get routed through a number of hops before it got to me. Can someone explain why this worked? Thanks.
The problem is that this was just Joe user using DSL to connect his home machine to the net through an ISP. There was no VPN and we weren't even sharing ISP's. He had a router between his DSL modem and his computer, so that would NAT his address between it and his computer, but shouldn't have any bearing on the outside world. I don't use 172 anywhere on my side of things. I had asked him what his IP number was and he had replied that it was
172.16.x.x. I told him that couldn't be the actual address assigned to him and asked him to ping me. That was when I saw the packets with the
172.16.x.x return address that he had previously mentioned. He also received the ping replies.
1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February 1996. (Format: TXT=22270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005) (Status: BEST CURRENT PRACTICE)
Correct - you can not send packets TO such an address over the Internet. This is NOT to say you can't use these addresses within an entity like an individual company/ISP. However, there is nothing in the basic routing algorithm that says you can not have this as the _source_ address in a packet. For TCP, don't expect the connection to work - because the returning SYN/ACK packet goes nowhere, and the same for a ping.
Two possible explanations - you're not supplying enough details to know which is the problem.
The "other guy" is on the same ISP as you. Your posting IP is a Verizon address, and they're not exactly small, or clueful.
The "other guy" is NOT the same ISP as you, and your ISP is totally clueless and hasn't bothered to implement RFC2827.
2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)
While RFC2827 only deals with filtering bogus source addresses at the destination, the more clueful ISPs also drop bogus source addresses outbound at their perimeter. As a general rule, routers should be configured to drop bogus source addresses when the address will no longer be usable. For example - customer use of those IPs (which customer?) should be blocked. While it is permitted to use RFC1918 addresses internally, if the ISP is using such addresses for local purposes (your posting hostname implies Dallas TX, yet Verizon, formerly known as Bell Atlantic is headquartered in Reston VA) they should (and likely will) be dropped when reaching internal region boundaries.
If the 'ping' worked (they got a reply) answer 1 above applies. If answer 2 applies, then they would not get a reply to their ping.
Also see RFC3330 for other address blocks that have routing problems.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.