Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Why can I traceroute to private IP?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Why can I traceroute to private IP?

So I'm doing some traceroute to this IP, suprisingly found out that two hops are private IPs. Am I supposed to see this?

Doing this on Ramnode Seattle VPS. Notice #7 and #8.

HOST: localhost                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
  2.|-- six.r2.se.hwng.net         0.0%    10    0.4   3.2   0.3  26.5   8.2
  3.|-- ae5.r2.ch.hwng.net         0.0%    10   62.0  52.3  44.8  62.0   7.8
  4.|-- 209.197.20.32              0.0%    10   45.2  45.9  44.8  47.6   1.1
  5.|-- 1-3.r1.dc.hwng.net         0.0%    10   68.6  69.8  68.5  74.6   2.3
  6.|-- 209.197.13.194             0.0%    10   66.5  66.5  66.4  66.8   0.1
  7.|-- 192.168.120.22             0.0%    10   74.8  76.7  74.8  91.6   5.2
  8.|-- 192.168.121.3              0.0%    10   89.1  98.7  86.1 126.4  15.7
  9.|-- 208.78.166.155             0.0%    10   66.8  66.7  66.6  66.8   0.1

Comments

  • trewqtrewq Administrator, Patron Provider

    While not conventional it works as long as everything has a route in place.

  • While I get a ping to those IPs?

  • trewqtrewq Administrator, Patron Provider

    @TheOnlyDK said:
    While I get a ping to those IPs?

    Depending on your network setup I guess. Someone more knowledgeable than me on this topic might be able to shed some light on it for you. Possibly @Francisco if he has time.

  • UrDNUrDN Member
    edited August 2016

    This is routing inside the same network. It's not recommended but a lot of networks are setup this way.

    A hop's interface may also have many IP, when Time Exceeded packets are generated the router may pick up the primary interface's address.

    You can make a router return any IP address you want, including public IP that are not allocated to you.

  • @TheOnlyDK said:
    While I get a ping to those IPs?\

    Maybe, it depends on the context of their use and what routing is in place. Try it.

  • UrDNUrDN Member

    @TheOnlyDK said:
    While I get a ping to those IPs?

    You may send different type of pings, commonly using UDP or ICMP.

    If you icmp ping 208.78.166.155 your machine sends an Echo Request packet and because this packet successfully reaches its destination, the remote host sends you back an Echo Reply packet. The ping program then calculates the time between send and receive.

    If you would directly ping 192.168.120.22 you would unlikely receive a response that's because your network does not know how to reach this address. It would be the same if you traceroute to this address.

    However, the traceroute to 208.78.166.155 reveals this address because the traceroute program uses a trick to attempt to discover hops in between which consist of changing the value of a field called TTL (Time to Live) that's present in IP packets. A TTL value ranges from 0 to 255, every time a packet passes through a hop, the TTL value decrements, if the TTL reaches 0, the router that's treating this packet drops it and normally generates a packet called "Time Exceeded" which it sends to the source of the packet that was dropped.

    The first packet that's generated by the traceroute program will have a TTL value of 1 causing the next hop to drop the packet and return a Time Exceeded packet to the source, when the router generates the packet it generally uses the primary's IP address of the interface as the source address, this is why the address that is shown is not always relevant. For each following packet the TTL value is incremented until the final destination (208.78.166.155) is reached.

    The traceroute program just compares the time between the packet is sent and the Time Exceeded packet is received.

  • I know within my own network I can use private IPs and be able to ping them, since my router(s) know where to route the ICMP requests. But when it's on the remote network, shouldn't it just be skipped to the next router where it has a public IP to reply to me?

    Even changing the ping to UDP ping, it still doesn't make sense for me to get a reply from a private IP. That's the whole point of NAT is no direct public access. Am I wrong?

  • ClouviderClouvider Member, Patron Provider

    @TheOnlyDK the explaination by @UrDN is very through. He explained why and how it works.

  • jtkjtk Member

    @TheOnlyDK said:
    So I'm doing some traceroute to this IP, suprisingly found out that two hops are private IPs. Am I supposed to see this?

    You are "supposed to" in the sense that the network responsible for them set those up that way probably intentionally. Private addresses are ambiguous and their use as source or destination addresses in the public Internet is generally discouraged for that reason. However, some networks use them, especially for router interfaces for a variety of reasons. One is to conserve otherwise limited public addresses. Another is to limit just the sort of thing you might like to do, aim packets at them directly. This latter idea is often intentionally done to help mitigate directed attacks against infrastructure IP addresses. While not everyone agrees with their use for any reason, it is not uncommon to see them in trace routes.

  • I would think It's possible that the network sending the traffic out doesn't have source filtering enabled,I guess in theory it's possible to send traffc FROM an RFC1918 address and not NAT it and have it reach it's destination if no-one in the path is bothering to check the source is actually valid.

    I've also seen multiple hops with the same IP when NAT got involved.

  • mycosysmycosys Member
    edited August 2016

    Better to think of them as 'non-routable' IPs than 'private' IPs. They are a legitimate IP address as an origin, but as a destination they cannot be routed to across networks. It got a ping packet, it replied with ITS IP address the only way it knew.

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2016

    dragon2611 said: no-one in the path is bothering to check the source is actually valid.

    Yep, some do and some don't, here are two traces to the same IP (188.162.12.1):

     Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
     1. 192.168.0.254                     0.0%     5    0.7   0.8   0.6   0.9   0.0
     2. 10.92.127.126                     0.0%     5    6.6   5.9   1.7  13.9   4.9
     3. lag-2-435.bgw01.tmn.ertelecom.ru  0.0%     5    1.5   1.6   1.5   1.8   0.0
     4. Er-Telecom-gw.transtelecom.net    0.0%     5   28.3  28.3  28.3  28.4   0.0
     5. mskn06.transtelecom.net           0.0%     5   31.0  29.4  28.9  31.0   0.9
     6. megafon-gw.transtelecom.net       0.0%     5   28.9  32.1  28.9  38.2   4.4
     7. ???
     8. ???
     9. ???
    10. ???
    11. ???
    12. 37.29.17.74                       0.0%     5   83.7  83.6  83.5  83.7   0.0
    13. ???
    14. client.yota.ru                    0.0%     4   84.2  84.4  84.2  84.6   0.0
    
     Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
    ...
     2. a9k1-49e-s46-1.dc3.poneytelecom.  0.0%     5    0.6   1.3   0.6   2.0   0.0
     3. bb1-dc3-bb1.ams1.poneytelecom.eu  0.0%     5   12.9  13.0  12.8  13.3   0.0
     4. AMS-PE-1.megafonvolga.ru          0.0%     5   13.5  15.0  13.2  21.5   3.6
     5. 83.169.204.90                     0.0%     5  110.1 110.2 110.0 110.6   0.0
     6. 83.169.204.77                     0.0%     5  115.3 182.7 115.3 449.3 149.0
     7. 10.222.78.25                      0.0%     5  119.3 293.9 116.9 999.0 394.2
     8. 10.222.177.162                    0.0%     5  121.6 121.5 121.1 121.8   0.0
     9. ???
    10. 10.222.54.21                      0.0%     5  118.8 119.0 118.8 119.3   0.0
    11. 10.222.54.81                      0.0%     5  111.4 111.7 111.4 112.1   0.0
    12. 37.29.17.70                       0.0%     5  109.6 109.8 109.6 110.0   0.0
    13. 10.92.130.1                       0.0%     5  115.8 115.4 115.1 115.8   0.0
    14. client.yota.ru                    0.0%     5  115.2 115.6 115.2 116.7   0.6
    

    This Megafon is notorious for building their entire L3 network out of shit and sticks these 10.222 private range IPs.

  • @rm_ said:
    Yep, some do and some don't, here are two traces to the same IP (188.162.12.1):

    >

    This Megafon is notorious for building their entire L3 network out of shit and sticks these 10.222 private range IPs.

    Always thought it would be the first case where the private IPs will just return timeouts. You learn something everyday.

  • jtkjtk Member

    @mycosys said:
    Better to think of them as 'non-routable' IPs than 'private' IPs. They are a legitimate IP address as an origin, but as a destination they cannot be routed to across networks. It got a ping packet, it replied with ITS IP address the only way it knew.

    Pedantic pet peeve, IPs = Internet Protocols, :-). They are private addresses or perhaps more precisely per IETF RFC 1918, they are an Address Allocation for Private Internets.

    The reply would have technically been a pong (ICMP echo response) if the probe was an ICMP echo request. Probably so since this looks like mtr was used, which is technically a tracouroute + ping utility using ICMP probes by default.

    Sometimes you may find they are "routable" in the sense that some networks will have a route for some privately allocated addresses. It all depends. If for instance I'm peered with ISP X and I know they use 10.0.0.0/24 on their IRLs, I might be able to aim packets from my autonomous network into their's, hit their private allocations and get a response back as I would any public address. Perfectly "routable" in that case.

    It is generally more safe to say they are "ambiguous", because they can be freely allocated to private networks and you can't be sure who is using them, how they are being used, and what any neighbor network will do with them. Some filter those addresses when present in either the soure or destination field, when they are seen as a source address, some as a destination and some don't filter them at all and they go where they will. In this last case, they may go nowhere, they may go to route to some local use, or maybe even to a neighbor if a route leak is accepted.

  • @jtk said:

    Pedantic pet peeve, IPs = Internet Protocols, :-). They are private addresses or perhaps more precisely per IETF RFC 1918, they are an Address Allocation for Private Internets.

    private network != private adress

    The reply would have technically been a pong (ICMP echo response) if the probe was an ICMP echo request. Probably so since this looks like mtr was used, which is technically a tracouroute + ping utility using ICMP probes by default.

    you mean the normal reply to a ping? wow

    Sometimes you may find they are "routable" in the sense that some networks will have a route for some privately allocated addresses. It all depends. If for instance I'm peered with ISP X and I know they use 10.0.0.0/24 on their IRLs, I might be able to aim packets from my autonomous network into their's, hit their private allocations and get a response back as I would any public address. Perfectly "routable" in that case.

    It is generally more safe to say they are "ambiguous", because they can be freely allocated to private networks and you can't be sure who is using them, how they are being used, and what any neighbor network will do with them. Some filter those addresses when present in either the soure or destination field, when they are seen as a source address, some as a destination and some don't filter them at all and they go where they will. In this last case, they may go nowhere, they may go to route to some local use, or maybe even to a neighbor if a route leak is accepted.

    You may wish to look up the difference between 'technically accurate in every respect' and 'helpful'. Reference conventional current flow. And imaginary currents used for power factor.

Sign In or Register to comment.