nanog mailing list archives
Re: Can a prefix be never routed on Internet but used only for source address in IP packets?
From: Warren Kumari via NANOG <nanog () lists nanog org>
Date: Tue, 19 Aug 2025 17:14:00 -0700
Largely, yes... W On Tue, Aug 19, 2025 at 6:16 PM, Joel Halpern <nanog () lists nanog org> wrote:
Off-list: Does this mean that any IP source spoof prevention mechanism needs an exception for ICMP error packets sourced from 192.0.0.8? Yours, Joel On 8/19/2025 6:07 PM, Warren Kumari via NANOG wrote: On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <nanog () lists nanog org> wrote:There are other reasons to do it intentionally.Yup, there are other intentional places where you can emit packets which are not announced.For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address."WYou can use 10/8 to exfiltrate data. So you could have a receiving system that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station.Jonathan Kalbfeldoffice: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662ThoughtWave Technologies, Inc. Studio City, CA 91604https://thoughtwave.comView our network athttps://bgp.he.net/AS54380+1 844 42-LINUXOn Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog () lists nanog org> wrote:On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/ <https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/>_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/ <https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/>_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/MHFSGEQUXX6ENXCHSTOX2646X64MKSHU/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/M67A3QZHSZSDDFGGK54QQULAKUIVUX6F/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/5LYVBMLTSDG25R55SWYEN4YUQORV2IDI/
Current thread:
- Can a prefix be never routed on Internet but used only for source address in IP packets? Sriram, Kotikalapudi (Fed) via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Josh Luthman via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Jonathan Kalbfeld via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Aaron1 via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Bill Woodcock via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Joe Greco via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Jonathan Kalbfeld via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Warren Kumari via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Joel Halpern via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Warren Kumari via NANOG (Aug 19)
- Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Joe Greco via NANOG (Aug 19)
- RE: [EXTERNAL] Re: Can a prefix be never routed on Internet but used only for source address in IP packets? Sriram, Kotikalapudi (Fed) via NANOG (Aug 19)