Traceroute to ISP vmedia

when I perform a traceroute to my ISP Vmedia it goes through a private IP addres outside my LAN and through another ISP to get to Vmedia. My ISP says its a security feature of Cloudflare. Can anyone confirm this is how it operates ?

Tracing route to www.vmedia.ca [104.22.56.128]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.10.1
2 8 ms 8 ms 9 ms 3.52.251.198.in-addr.arpa [198.251.52.3]
3 8 ms 8 ms 9 ms 198.251.49.XX
4 9 ms 8 ms 9 ms 172.23.1.65 Private class B
5 8 ms 9 ms 8 ms 198.251.50.16
6 * * * Request timed out.
7 * 9 ms 9 ms rc4fs-be31-100.mt.shawcable.net [66.163.66.82]
8 10 ms 9 ms 10 ms rc1fs-ge11-0-0.mt.shawcable.net [66.163.66.109]
9 30 ms 30 ms 30 ms rc2nr-be25.wp.shawcable.net [66.163.76.21]
10 49 ms 49 ms 51 ms rc3no-be110-1.cg.shawcable.net [66.163.76.57]
11 64 ms 64 ms 64 ms rc2wt-be100.wa.shawcable.net [66.163.75.233]
12 65 ms 65 ms 64 ms rc1wt-be18-1.wa.shawcable.net [66.163.64.81]
13 84 ms 91 ms 74 ms six.as13335.com [206.81.81.10]
14 65 ms 64 ms 64 ms 104.22.56.128

Trace complete.

When I perform a tracert to my ISP vmedia.ca it goes through a private class B IP address then through another ISP shaw cable.ca. The private class B IP address is not routable on a public network and should not be present. When i asked my Vmedia.ca about the issue they said it was for Cloudflare security a redundancy. Can anyone explain this route?

Tracing route to www.vmedia.ca [104.22.56.128]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.10.1
2 8 ms 8 ms 9 ms X.52.251.198.in-addr.arpa [198.251.52.X]
3 8 ms 8 ms 9 ms 198.251.49.89
4 9 ms 8 ms 9 ms 172.23.1.65 Private class B
5 8 ms 9 ms 8 ms 198.251.50.16
6 * * * Request timed out.
7 * 9 ms 9 ms rc4fs-be31-100.mt.shawcable.net [66.163.66.82]
8 10 ms 9 ms 10 ms rc1fs-ge11-0-0.mt.shawcable.net [66.163.66.109]
9 30 ms 30 ms 30 ms rc2nr-be25.wp.shawcable.net [66.163.76.21]
10 49 ms 49 ms 51 ms rc3no-be110-1.cg.shawcable.net [66.163.76.57]
11 64 ms 64 ms 64 ms rc2wt-be100.wa.shawcable.net [66.163.75.233]
12 65 ms 65 ms 64 ms rc1wt-be18-1.wa.shawcable.net [66.163.64.81]
13 84 ms 91 ms 74 ms six.as13335.com [206.81.81.10]
14 65 ms 64 ms 64 ms 104.22.56.128

Trace complete.

You will notice that a traceroute into my DSL router (from an outside source) hides the private class B address.

traceroute to 198.251.56.x (198.251.56.x), 30 hops max, 40 byte packets
1 gateway (167.160.89.89) 5.661 ms * 5.632 ms
2 edge.sea.dedicated.com (167.160.89.1) 0.264 ms 0.299 ms 0.339 ms
3 63.251.10.93 (63.251.10.93) 0.342 ms 0.341 ms 0.368 ms
4 core1.t0-0-1-0-bbnet1.sef.pnap.net (63.251.160.23) 0.968 ms 1.064 ms 1.143 ms
5 bbr1.ae6.inap-31.sef.pnap.net (64.95.158.153) 0.386 ms 0.392 ms 0.424 ms
6 * * *
7 rc2wt-be18-1.wa.shawcable.net (66.163.64.82) 2.498 ms 2.569 ms 2.671 ms
8 rc3no-be100.cg.shawcable.net (66.163.75.234) 17.080 ms 17.172 ms 17.276 ms
9 rc2nr-be110-1.wp.shawcable.net (66.163.76.58) 48.216 ms 49.478 ms 49.418 ms
10 rc3fs-be25.mt.shawcable.net (66.163.76.22) 55.534 ms 55.592 ms 55.534 ms
11 66.163.66.85 (66.163.66.85) 56.394 ms 56.360 ms 56.365 ms
12 h66-244-251-177.bigpipeinc.com (66.244.251.177) 56.463 ms 56.444 ms 56.382 ms
13 h66-244-251-178.bigpipeinc.com (66.244.251.178) 56.585 ms 56.406 ms 57.798 ms
14 * * *
15 * * *
16 198.251.49.90 (198.251.49.90) 56.021 ms 55.997 ms 55.989 ms
17 x.56.251.198.in-addr.arpa (198.251.56.x) 64.457 ms 67.066 ms 66.675 ms

I had opened a topic in which Vmedia.ca has a private class B IP in the Internet route to there network and it was closed after 1 day.

The route from my DSL router to Vmedia.ca my service provider on the Internet side has 172.23.1.65 which is a private class B address that should not be on the public Internet. Vmedia says it is for Cloudflare security and redundancy.

Can anyone tell me how a private class B IP address can be used on a public Internet for this purpose?

I had opened a topic in which my ISP has a private class B IP from myself to my ISP on the public Internet. The issue was locked claiming it is SPAM. Here is the issue

The route from my DSL router to my ISP service provider on the Internet side has 172.23.1.65 which is a private class B address that should not be on the public Internet. My ISP says it is for Cloudflare security and redundancy. Can anyone tell me Cloudflare supports any security or redundancy involving a class B private address on the Internet.

The class B address isn’t on the internet, it is on your provider’s network. No idea if the ISP is using any feature of Cloudflare at all to protect their network or how they have chosen to configure it if they have.

Cloudflare’s network level services are described here:

No you are wrong. Here is a tracert from my network to my ISP. When it goes through the private class B address it still carries on through another service provider Shaw before getting to my ISP. the other trace route the ingres to my network the private class B is hidden.

I would like to know if Cloudflare in any way supports this route as a demonstration of security or redundancy as this is what my ISP stated when I specifically asked about this route.
Tracing route to www.vmedia.ca [104.22.56.128]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.10.1
2 8 ms 8 ms 9 ms 3.52.251.198.in-addr.arpa [198.251.52.x]
3 8 ms 8 ms 9 ms 198.251.49.89 ISP
4 9 ms 8 ms 9 ms 172.23.1.65 Private Class B
5 8 ms 9 ms 8 ms 198.251.50.16 ISP
6 * * * Request timed out.
7 * 9 ms 9 ms rc4fs-be31-100.mt.shawcable.net [66.163.66.82]
8 10 ms 9 ms 10 ms rc1fs-ge11-0-0.mt.shawcable.net [66.163.66.109]
9 30 ms 30 ms 30 ms rc2nr-be25.wp.shawcable.net [66.163.76.21]
10 49 ms 49 ms 51 ms rc3no-be110-1.cg.shawcable.net [66.163.76.57]
11 64 ms 64 ms 64 ms rc2wt-be100.wa.shawcable.net [66.163.75.233]
12 65 ms 65 ms 64 ms rc1wt-be18-1.wa.shawcable.net [66.163.64.81]
13 84 ms 91 ms 74 ms six.as13335.com [206.81.81.10]
14 65 ms 64 ms 64 ms 104.22.56.128

Trace complete.

Ingress tracert
traceroute to 198.251.56.x (198.251.56.x), 30 hops max, 40 byte packets
1 gateway (167.160.89.89) 5.661 ms * 5.632 ms
2 edge.sea.dedicated.com (167.160.89.1) 0.264 ms 0.299 ms 0.339 ms
3 63.251.10.93 (63.251.10.93) 0.342 ms 0.341 ms 0.368 ms
4 core1.t0-0-1-0-bbnet1.sef.pnap.net (63.251.160.23) 0.968 ms 1.064 ms 1.143 ms
5 bbr1.ae6.inap-31.sef.pnap.net (64.95.158.153) 0.386 ms 0.392 ms 0.424 ms
6 * * *
7 rc2wt-be18-1.wa.shawcable.net (66.163.64.82) 2.498 ms 2.569 ms 2.671 ms
8 rc3no-be100.cg.shawcable.net (66.163.75.234) 17.080 ms 17.172 ms 17.276 ms
9 rc2nr-be110-1.wp.shawcable.net (66.163.76.58) 48.216 ms 49.478 ms 49.418 ms
10 rc3fs-be25.mt.shawcable.net (66.163.76.22) 55.534 ms 55.592 ms 55.534 ms
11 66.163.66.85 (66.163.66.85) 56.394 ms 56.360 ms 56.365 ms
12 h66-244-251-177.bigpipeinc.com (66.244.251.177) 56.463 ms 56.444 ms 56.382 ms
13 h66-244-251-178.bigpipeinc.com (66.244.251.178) 56.585 ms 56.406 ms 57.798 ms
14 * * *
15 * * *
16 198.251.49.90 (198.251.49.90) 56.021 ms 55.997 ms 55.989 ms
17 x.56.251.198.in-addr.arpa (198.251.56.x) 64.457 ms 67.066 ms 66.675 ms

Happens quite often, but in this case I don’t think so. Not that I do a lot of carrier grade networking, but this appears valid for their internal network.

198.251.49.89	54198	VIANET, CA	198.251.48.0/23
172.23.1.65 Private Class B
198.251.50.16	54198	VIANET, CA	198.251.50.0/24

I have no idea if Cloudflare is providing the services I mentioned previously to Vianet, this is a community forum so I’m not privy to Cloudflare’s customers or configurations. Coudl it be Cloudflare? Sure? Maybe? Cloudflare or not the configuration is valid for Vianet to use on their internal network. It’s not their external IP on their edge connection to Shaw, so how they number and route things internal to their own network is largely irrelevant assuming they aren’t squatting on a validly allocated globally unique address space.

The problem is that my internet traffic goes through my private IP and then again through another private IP of Vmedia not vianet, even though the IP resolves to Vianet. Further is that it goes through another service provider Shaw to get to my ISP Vmedia.ca.

You mentioned this happens alot? What would be a reason for having all of a clients internet traffic go through a private IP from the ISP?

IPv4 address space is pretty limited. With millions of devices and lots of interconnected networks, using public IP addresses everywhere would result in exhaustion of the iP address space.

The traceroute www.vmedia.ca is going to Cloudflare’s edge network where the site is proxied by Cloudflare to wherever it’s origin server actually exists. While Cloudflare is a highly connected network, it doesn’t directly connect to every other network for a variety of reasons. In this instance this domain is no different than say… icanhazip.com which has no relation to Shaw, but which resolves to a Cloudflare IP and likely routes tot he same datacenter.

As for IP limitation CGNAT was created in which a specific IP range can be used for IP extensions. But it uses the allocated address block of 100.64.0.0/10 not a private class B.

Correct., but it is more complicated than that. From the same article:

If an ISP deploys a CGN, and uses RFC 1918 address space to number customer gateways, the risk of address collision, and therefore routing failures, arises when the customer network already uses an RFC 1918 address space.

And from the actual RFC being referenced:

A Service Provider can number the interfaces in question from
[RFC1918] space if at least one of the following conditions is true:

o The Service Provider knows that the CPE/NAT works correctly when
the same [RFC1918] address block is used on both its inside and
outside interfaces.

o The Service Provider knows that the [RFC1918] address block that
it uses to number interfaces between the CGN and CPE is not used
on the subscriber side of the CPE.

So the configuration is RFC compliant. May not be the preferred deployment scenario but networking is hard and I’ve deployed exactly 0 carrier grade networks myself. So I’m just pointing to what the RFCs say is allowed.

Cloudflare provides DDOS, and DNS security. Does Cloudflare provide any other services specific to ISP in regards to this issue.

All my traffic is running through that private class B

I can find no example of a ISP using a private IP address. rfc1918 is as follows

An [RFC1918] address is an IP address that is assigned by an enterprise organization to an internal host. These IP addresses are used in [private networks], which are not available, or reachable, from the Internet.

Can you name any ISP that uses a private IP in this manner especially since you said it happens quite often. Can you explain why CGNAT which has its own IP address for this feature would require a ISP to use a private IP? What would prevent the ISP from acting as the user or interrupting Internet traffic?

I have asked Vmedia to explain the private class B via a ticket and via Twitter and they have not responded.

vmedia

2 Likes

You said using a private class B “Happens quite often” but you have not other examples?
I have asked vmedia.ca to explain the use and they have not responded.

No.

The use has already been explained, but if vmedia wants to continue the conversation they will.

To be clear you are saying that it is normal for a customer Private class IP go through a ISP’s private IP network to gain access to the rest of the Internet ?

This is a question for your ISP - we aren’t them, we don’t know their setup and can’t tell you how their routing works.

We can speculate all day but they are the only ones who can give you the correct answer.

As per the RFC, it is valid. Beyond it being valid, no-one here can tell you why your ISP does that.

1 Like

The lastt question is not about the ISP its about the operation of CGNAT which you didn’t answer once I described the details. According to the RFC 6598 no private class A,b or C address should be used to transverse the Internet.

Here is a description

Vmedia is using a private class a,b,c, and that is not described in CGNAT but to answer you question I asked Vmedia to explain the details and they refused.

Can a Cloudflare representative confirm that CGNAT does not use a private class A,b,c for a user to tranverse to the Internet as asked previously?

This has nothing to do with Cloudflare.

As per the RFC that you linked…

3. Alternatives to Shared Address Space
[RFC1918] space

A Service Provider can number the interfaces in question from [RFC1918] space if at least one of the following conditions is true:

Cloudflare is not your ISP and no Cloudflare products relate to CGNAT. No ‘Cloudflare representative’ has any reason to comment on your ISP.

3 Likes