192.168 packets from the outside???

[bogstad at pobox.com]

David Kramer wrote:
>I was going through my logwatch reports like a good little sysadmin, and I 
>found something very unusual in there.  I saw packets from 192.168.11.85 
>coming in on eth0 (my DSL connection to the outside world).  I thought that 
>was a nonroutable address, so I was wondering how that was even possible.  
>Could it have been source-routed packets?  My ipchains firewall has rules for 
>both nonroutable addresses and source-routed packets, so I don't know.

It might have been source routed, but probably not.  A 'nonroutable'
address doesn't mean that all routers in the world automatically drop
packets with that source (or destination) address.  All it really means
is that there is no designated single owner for that address (no
uniqueness).  Any organization (or group of organizations) can decide
for itself how to divy up those addresses and configure their routers
appropriately.  ISPs have even been known to configure ports on their
internal routers with 'nonroutable' addresses (not generally recommended
as it can cause problems with TCP MTU discovery).  Even ISPs that don't
do this will often not bother to install filters to drop packets with
these addresses.  Originally this was probably because it would have
slowed down the routers.  Now it's probably both historical and because
they don't want to have people think that 'security' has anything to do
with their equipment (that's an enduser problem).  Next thing you know
people would would ask them to do something about address spoofing in
general like configure all of their edge routers to drop inappropriately
sourced packets.  That requires keeping track of what addresses are
where and could be a real headache.  It's much more lucrative to charge
for network security consulting/monitoring..

Take care,
Bill Bogstad