Networking and routing of private IP ranges

Solution 1

Most ISPs will have hardcoded ACLs to prevent routing of private traffic. In the event they do not, the lack of a locatable return address will prevent these packets from going anywhere regardless. BGP (Border Gateway Protocol), the core routing protocol of the internet, only advertises public routes.

It is common to find an ACL similar to the following on internet-facing Cisco routers:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.0.255.255 any

This will block private addresses, including APIPA and loopback addresses from traversing a router interface after applied via an access-group.

The firmware on some SOHO routers has this functionality built-in.

Solution 2

You need to have a better understanding of how the internet and routing works.

Private IP Address ranges are simply not available for other companies to use. They are registered by an RIR.

This is the Whois record for 192.168.0.1:

NetRange:       192.168.0.0 - 192.168.255.255
CIDR:           192.168.0.0/16
OriginAS:       
NetName:        PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED
NetHandle:      NET-192-168-0-0-1
Parent:         NET-192-0-0-0-0
NetType:        IANA Special Use
Comment:        This block is used as private address space.
Comment:        Traffic from these addresses does not come from IANA.
Comment:        IANA has simply reserved these numbers in its database 
Comment:        and does not use or operate them. We are not the source 
Comment:        of activity you may see on logs or in e-mail records.
Comment:        Please refer to  http://www.iana.org/abuse/
Comment:             
Comment:        Addresses from this block can be used by 
Comment:        anyone without any need to coordinate with 
Comment:        IANA or an Internet registry. Addresses from
Comment:        this block are used in multiple, separately 
Comment:        operated networks.
Comment:        
Comment:        This block was assigned by the IETF in the
Comment:        Best Current Practice document, RFC 1918
Comment:        which can be found at:
Comment:        
Comment:        http://www.rfc-editor.org/rfc/rfc1918.txt
RegDate:        1994-03-15
Updated:        2011-04-12
Ref:            http://whois.arin.net/rest/net/NET-192-168-0-0-1

If any internet provider attempted to use it in their (public facing/internet connected) infrastructure, and they configured routes on a router accordingly, there would be nothing stopping them using it internally.

However, if they start giving out these IPs to their subscribers via DHCP/static, and their customers also use these addresses internally, it could lead to some very interesting problems on the client side.

Also, internet providers connect to each other through a variety of methods. Unless every other ISP was to also add routes, it simply will not be reachable.

This is without getting in to BGP or anything more complicated...

... To try and make it a bit simpler...

Put it this way, any ISP can use any IP block they like, but, in order for the internet to work, they need to configure the way each route to each other. The private IP ranges are just reserved/registered by the authority that dishes out other IP blocks.

In the same way, I can easily use public IP address ranges on my internal network, but, outside/external people will not be able to route to my network without adding their own custom routes.

** I have tried rewriting this a few times, it is quite a complex situation and hard to explain... If you have any other follow up questions, feel free to ask. **

Solution 3

If any internet provider attempted to use it in their (public facing/internet connected) infrastructure, and they configured routes on a router accordingly, there would be nothing stopping them using it internally.

Related videos on Youtube