[Linux-aus] internode/iinet/tpg ipv4 bogons in route
Paul Gear
paul-linuxaus at gear.email
Thu Jun 16 07:04:48 AEST 2022
It's also very common for a traceroute not to match in both directions,
because the ICMP time exceeded messages come from the address of the
interface facing the source IP, and a router will usually have different
IP addresses on multiple interfaces. (The data can also take a
completely different path, often depending on economic arrangements
between the parties involved.)
For example, here are some of the hops between my router and
route-views.routeviews.org (in Oregon). It looks like
TPG-iiNet-Internode peers with Hurricane Electric in San Jose, and it
traverses the same ISP in both directions, but look at the addresses on
the border between those two networks.
Outbound:
...
4.|-- adl-ts3-2600-106.tpgi.com.au (203.29.135.106)
0.0% 10 18.2 18.4 18.0 18.9 0.3
5.|-- syd-apt-ros-int1-eth8-3.tpgi.com.au (203.29.134.67)
0.0% 10 19.8 21.4 18.4 25.5 2.6
6.|-- 100gigabitethernet13-1.core1.sjc1.he.net (216.218.139.233)
0.0% 10 172.6 172.3 171.7 173.4 0.5
7.|-- 100ge1-1.core1.sjc2.he.net (184.105.65.114)
0.0% 10 173.6 172.6 172.1 173.6 0.5
...
Inbound (looks different because route-views runs Cisco IOS-XE and it
has traceroute, not mtr):
...
13 100ge1-2.core1.pao1.he.net (184.104.195.173) [AS 6939] 16 msec
100ge10-1.core1.sjc1.he.net (184.105.80.193) [AS 6939] 16 msec 17 msec
14 tpg-internet-pty-ltd.100gigabitethernet11-1.core1.sjc1.he.net
(216.218.139.234) [AS 6939] 178 msec 175 msec
100ge10-1.core1.sjc1.he.net (184.105.80.193) [AS 6939] 16 msec
15 tpg-internet-pty-ltd.100gigabitethernet11-1.core1.sjc1.he.net
(216.218.139.234) [AS 6939] 175 msec 175 msec 176 msec
16 syd-sot-ken-csw1-ge-2-23.tpgi.com.au (203.29.135.109) [AS 7545]
[MPLS: Label 24446 Exp 0] 184 msec
syd-apt-ros-crt4-be-100.tpgi.com.au (203.29.134.44) [AS 7545] 172 msec
syd-sot-ken-csw1-ge-2-23.tpgi.com.au (203.29.135.109) [AS 7545]
[MPLS: Label 24446 Exp 0] 184 msec
...
216.218.139.233 and 216.218.139.234 are probably the two ends of TPG's
point-to-point connection to Hurricane Electric which is probably the
network 216.218.139.232/30, but we only see one of the IPs in each
direction. (The /30 is just a guess, but it's not a /31, because they
must start on the even-numbered address, and I get timeouts when pinging
216.218.139.232 and 216.218.139.235, so it seems a reasonable guess.)
Regards,
Paul
On 15/6/22 23:33, dap at zepherin.com wrote:
> I am sure I'm not blocking the ping at my (UDM Pro) firewall, but the Fritz!box also has a firewall.
>
> Because I see the weird 10.20.21.212 hop outbound, I assumed I would see it on inbound, and thus it appeared to be the next hop to fix.
> However, no small amount of dorking about with the Fritz!Box has resulted in me figuring out that I need to designate the UDM as "exposed host".
>
> I know I should have more faith in the Unifi firewall, and I should have been happy to put the UDM into the DMZ, but I always felt marginally less insecure leaving it so that the mystical, inaccessible Fritz!box firewall was also preventing rogue SYNs from molesting my sockets.
>
> Once I enable "Exposed Host" on the Fritz, pings work, and "mtr" is able to reveal to me that there is no 10.20.21.212 hop inbound. Just outbound.
>
> The bogon hop still annoys me -- perhaps I need to get a life.
>
>
> Sent with Proton Mail secure email.
> ------- Original Message -------
> On Wednesday, June 15th, 2022 at 15:10, Paul Gear via linux-aus <linux-aus at lists.linux.org.au> wrote:
>
>
>> The existence of that node on the path should not break mtr - it should
>> continue trying increased TTLs until it gets to the end node.
>>
>> Are you sure you're not blocking ping at your firewall?
>>
>> On 15/6/22 14:35, Damon Permezel via linux-aus wrote:
>>
>>> Breaks mtr.
>>> Im trying to diagnose some issues and the other party insists on mtr
>>> working from both sides.
>>> Inbound to me the 10.20.21.212 drops all pings and mtr goes no further.
>>> The ping is not addressed to 10.20.21.212. It should elicit a ttl
>>> expired icmp response.
>>>
More information about the linux-aus
mailing list