I'm a new subscriber to an ISP where I live and was doing some traceroute to see how they connect to the web. How does one explain this output:

tracepath yahoo.com
1: dumpstergate.local 0.254ms pmtu 1500 <------------------------localhost
1: 192.168.1.1 1.034ms <============================================my local gateway
1: 192.168.1.1 0.999ms
2: 192.168.1.1 1.087ms pmtu 1492
2: no reply
3: 172.2.1.2 2.878ms <---------------------------------Vietnam?
4: 205.144.218.233 11.500ms asymm 5 <=------------------Optilink
2: 10.2.0.1 12076.749ms <-------------------WTF? Private Class A?
5: 66.110.192.89 14.212ms asymm 6
6: 66.216.1.237 13.943ms
7: ash-ten3-1-atl-ten3-1.bboi.net 28.626ms
8: exchange-cust1.dc2.equinix.net 23.514ms asymm 9
9: ae-7.pat1.dax.yahoo.com 58.161ms asymm 12
10: ae-8.pat2.dnx.yahoo.com 88.187ms asymm 14
11: ae-5.pat2.pao.yahoo.com 99.705ms asymm 14
12: ae-4.pat2.sjc.yahoo.com 105.211ms asymm 15
13: no reply
14: no reply..............blah blahh

This makes no sense to me at all. I looked up the 172.2.1.2 and what results did return showed that it is a Vietnamese block.
But what really makes me scratch my head is that it comes back into a private class A address space. If anyone has any insight on how
Optilink works please clue me in.

Just because an IP is registered somewhere doesn't mean that's where it is. And back in "the old days" before all the IPv4 space was allocated companies used to grab unused address space and use it internally. There was so much available and they had such little foresight that it didn't matter then. I used to work for a very large IT company who has a massive worldwide internal network that's "squatting" on IP addresses that are now owned by Asia, but at the time they went into use were unallocated.

And the 10. is just an internal address. You see that all the time in traceroutes. Traffic is never sent to/from a backbone router, so who cares what IP it has on it. The ISP would prefer you are never able to reach their device directly. It doesn't need a public IP to forward your traffic.

_________________
blog.brokennetwork.ca

My previous ISP only had one hop from my (local) gateway. in other words, I had a public IP address on the public side of my local router. This makes no sense to me why so many hops between my local public facing interface to a public IP address. I could understand if all the hops were private class A etc.. between my outside local interface on my gateway, but it passes two public IP addresses, then back inside a private class A, then to a public IP? Where is the logic in that? Can anyone explain why an ISP would do something like this?

"And the 10. is just an internal address. You see that all the time in traceroutes. Traffic is never sent to/from a backbone router, so who cares what IP it has on it. The ISP would prefer you are never able to reach their device directly. It doesn't need a public IP to forward your traffic."
Maybe I misunderstand your statement. I thought if you don't have a public IP address somewhere, owned by someone forwarding/routing traffic, then you don't get on the "internet"? What does an ISP do when you host HTTP at home and you cant know what your public IP address is?

Who cares if you see a private IP on the way? As Infinite said it's completely normal. When we route public IP's we don't use public IP's everywhere to route those IPs. Remember how traceroute works. The device in question is sending back a TTL time exceeded message to your public address. The source is their private address, but it doesn't matter as routing back to you is based on the destination.

As for why? Well I don't have millions of IPs to waste in order to route a /32 to your house. An IP is an IP, public or private it doesn't matter

A public address is routed to your house, it does not need every single router along the way to have a public IP. The source and destination IP in a packet never change (unless you NAT)

_________________
www.mellowd.co.uk/ccie/

As the two green guys said. Every router is configured to send you the replies from a specific IP. I could configure all my routers to have a loopback of 10.10.10.10/32 and use that for replying to ICMP. Then every hop you hit in my network would look like it was coming from the same device. Everyone in the world could configure their routers that way, and then all your hops would have an address of 10.10.10.10. It is just the address the router replies with. It probably has several other addresses assigned to other interfaces.

As for your Vietnam IP it is probably like Infinite said. Some provider is using that space inside their network. Especially as it is 172.2. I can see someone deciding to expand on their 172.16 space, and not care they were using real addresses.

-Otanx

I have millions of private class A addresses. I only need one public address in order to access this site. If I had even one public class A block, I could easily provide Internet access to my small town of less than 40,000 people. I dont care what the public address is, just as long as I have one somewhere. I guess what I'm trying to understand is why would an ISP bounce traffic around like this (my original post) if all they needed was a few public addresses, and all the private addresses they could care to use? This looks like a lot of work for a small task. All my prior ISPs gave me a dynamic public address and I could NAT or port forward any service I wanted to host at home. But this ISP calls a "static IP address" what everyone else in the industry calls "public IP address". I am not the only person to notice that Optilink does unusual stuff. An acquaintance first told me about the weird "out-in-out" routing, and he was told to purchase a "static IP address". In doing so, he reported having "normal" behaviour similar to what I experienced with previous ISPs. Another subscriber said he had to purchase a "static IP address" and that every ISP should be like Optilink. So I called the techs and asked them to help me understand why they were calling what is by definition a "public IP address", a "static IP address" and how to get one. In so many words the tech confessed to working at an unorthodox company and that they should change some things.

I really appreciate any response, however, no one has really answered my question. I know about public private etc.... I know traceroute can be fooled. At work every address from a traceroute to google.com is the destination address, even the gateway; I know google.com is not my gateway, its just the way our network admin has set up router replies. It just seems like a whole lot of work to do for something simple, and I know there is some simple explanation. thanks

We already told you the simple explanation, what more do you want? A router will reply with it's own interface address, regardless of whether it's public or private. An IP is an IP.

You could not give 40 000 people internet access through your single IP public IP address, unless you NAT'd all of them behind that address. So good luck with that

_________________
www.mellowd.co.uk/ccie/

4: 205.144.218.233 11.500ms asymm 5 <=------------------Optilink
2: 10.2.0.1 12076.749ms <-------------------WTF? Private Class A?

as mellowd said, "unless you NAT'd all of them behind that address"
How many ISPs NAT their subscribers traffic?


OK. Thanks

For residential service? All of them.

_________________
And actually I appreciate MS certified people quite a bit. Not in the " I wish I did what you did" kinda way, but in a "I'm glad you're doing that so I don't have to" kind way. - Infinite ca. 2010

If a residential connection was NAT'd, could a subscriber operate a web server from their home?

Read your ToS, that's almost always specifically disallowed. Sure, you can do it, but you run the risk of being indiscriminately disconnected if caught.

_________________
And actually I appreciate MS certified people quite a bit. Not in the " I wish I did what you did" kinda way, but in a "I'm glad you're doing that so I don't have to" kind way. - Infinite ca. 2010

No you can't. I bet if you read your terms of service with your ISP it says you are not allowed to run public services from your connection.

NATing residential service is becoming common as we run out of IP addresses. From what I understand Asia is almost all NATed anymore.

-Otanx

Whut? Not in this part of the world at least.

Seeing private IPs in traceroutes are pretty common though, and nothing to worry about at all.

_________________
som om sinnet hade svartnat för evigt.

Thank you. You are the first person to make any sense. I guess you are the first person who could understand my insanely difficult question.

As for running services at home, I have done it without any problem at my previous ISPs because my traffic was not NAT'd, and I could specify the DMZ with my own router, and the dynamic DNS service to track my dynamic public address. With my current service, (and any NAT'd traffic ) I would need admin access to their routers so I can specify my DMZ which contains my web server, and give myself a static public and private address (not gonna happen, which is why they sell "static IP addresses"). But this is way off topic and I apologize for making it so.

I was just surprised to see this behavior having been the first time to experience NAT'd ISP service. Thanks to all who responded to my question. i'm sorry I could not communicate my thoughts clearer. This is the first time ive seen private addresses sandwiched between public addresses in a traceroute.

Your question was not insanely difficult. Like mellowd said, we answered it right off the bat. The issue is that you are over-complicating it, and refusing to let go of your (incorrect) preconceived ideas about how things work.

_________________
blog.brokennetwork.ca

And just because you see private IPs in your traceroute doesnt necessarily mean you are beeing NATed.

_________________
som om sinnet hade svartnat för evigt.

You are not being NAT'd. You have a public IP. The router in front of you has a private IP. I don't know how much more clear we can make it

_________________
www.mellowd.co.uk/ccie/

there is plenty of free/cheap web hosting service on the internet.
why would you want to increase the security risk of your
home network by running a publicly accessible web server
on your home network?

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

My router's WAN interface has a private IP(class A) address. the private C range is in my house on my LAN. So I'm not NAT'd?

if both your WAN and is a private IP address and your house LAN is a private IP address, you would not be able to surf the internet without NAT, RFC 1918 addresses do not route across the internet. so if you can access the internet you are NAT'd..somewhere.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw