Is using Public IP addresses behind a NAT router LEGAL?



  • Everyone always says "it's not a good idea…" (I know, spare me the rhetoric).  But is it actually LEGAL to connect to the internet if you are using public ip addresses behind a NAT firewall?

    From my understanding the only reason NOT to do this is it could possibly cause technical problems is if I decide to visit a web site that resides on that same subnet, but there are some subnets that I will NEVER visit - i.e. those in China (my Chinese language skills are terrible).

    So why would I really even consider doing this?  Every night the same (blocked) Chinese ip address tries to penetrate my router.  I thought it would be somewhat humorous (I have a bizarre sense of humor) to just set the router to that same exact ip address... and it got me thinking... is that legal?

    BTW, from the pfSense v2.1 book draft, page 10:
    "If you find yourself working on an existing network using an improper address space, it is best to correct the addressing as soon as possible."
    Me: but is it LEGAL not to?

    Microsoft has similar (albeit more harshly worded) information here:
    http://technet.microsoft.com/en-us/library/cc759287(v=WS.10).aspx
    where it states:
    _Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially duplicate addresses are known as unauthorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its current addressing scheme might include addresses that IANA has assigned to other organizations. You cannot connect to the Internet by using unauthorized addresses.

    Do not use unauthorized addresses if even the slightest possibility exists of ever establishing a connection between your network and the Internet. On some future date, discovering that you need to quickly replace the IP addresses of all the nodes on a large private network can require considerable time and interrupt network operation._

    Now they use the term "illegal", but is that really enforceable by any actual law??  Which one?  Can you actually cite the law, hyperlink to it?

    The same question applies to ipV6 (which I don't use yet).



  • There can not be any law that regulates how you assign your own public IP addresses and how your arrange the routing to them in your own networks. Just as long as the IP address is reachable from the public internet it doesn't matter how many private RFC1918 networks or VPN links (for example) the traffic has to traverse to reach the IP address.



  • @kpa:

    There can not be any law that regulates how you assign your own public IP addresses and how your arrange the routing to them in your own networks. Just as long as the IP address is reachable from the public internet it doesn't matter how many private RFC1918 networks or VPN links (for example) the traffic has to traverse to reach the IP address.

    But they are not my own public IP addresses, they are assigned to someone else… hence the question.

    Obviously there is a security risk if you use someone else's public ip addresses, but that is not the question either.


  • Rebel Alliance Developer Netgate

    They likely mean "illegal" in the sense that they really mean "invalid".

    If NAT is involved, the public facing side of the network would never see the other IP addresses so it wouldn't matter.

    What might matter is if you try to send traffic out without NAT, or using some other protocol like BGP to your ISP you attempt to use someone else's address space. Those are much different situations than using some other subnets on your router behind NAT.

    It's still not a good idea, and you might accidentally let in traffic you don't intend. Pretend for a second that you used your Chinese friend's address space, then added a floating rule you accidentally applied to all interfaces to pass your "LAN" subnet somewhere… oops, you just let them in.



  • @jimp:

    They likely mean "illegal" in the sense that they really mean "invalid".

    If NAT is involved, the public facing side of the network would never see the other IP addresses so it wouldn't matter.

    What might matter is if you try to send traffic out without NAT, or using some other protocol like BGP to your ISP you attempt to use someone else's address space. Those are much different situations than using some other subnets on your router behind NAT.

    It's still not a good idea, and you might accidentally let in traffic you don't intend. Pretend for a second that you used your Chinese friend's address space, then added a floating rule you accidentally applied to all interfaces to pass your "LAN" subnet somewhere… oops, you just let them in.

    Thanks Jimp.  I actually spent some time on ICANN's web site trying to find this answer - and found nothing of substance.

    What would make it "invalid" though?  Aside from the possible security risk (and I see your point) the only downside I can see to using public ip's behind a NAT is not being able to reach the web pages in that public space.

    With regards to ipv4 it is more of curiosity since 10.0.0.0/8 is more than enough addresses.

    You do bring up a very good point:

    @jimp:

    What might matter is if you try to send traffic out without NAT, or using some other protocol like BGP to your ISP you attempt to use someone else's address space.

    With ipv6 it becomes more interesting since NAT is not used (correct?).  I have yet to enable ipV6 on our network so I admit I don't understand the details, but my understanding is our ISP's will assign us a subnet (and I don't understand how this works when you have two ISP's for failover and they each assign different subnets).  Your subnet becomes your new identity.

    Sorry to derail so far off-topic, but as a privacy advocate this really bothers me.  This means that all your activity can be tracked by any web site.  You can forget about disabling cookies in your browser, all the cookies can be held on the host web site's side.

    So what would an ISP do if someone sets their ipv6 subnet to some random subnet rather than to their "assigned" subnet via DHCPv6?  Not let them on the internet?  IMO all the possible implications are scary.



  • With IPv6 if you're not necessarily given your own /64 subnet. If you're just a standard home user you'll be given a random IPv6 address from the pool of addresses using SLAAC or DHCPv6 that only identifies the ISP's network, pretty much in the same way as you are now given a random IPv4 address with DHCP. If you do request a /64 then of course you're identifiable via the addresses, there's no way around it. It's of course already the same if you request a routed IPv4 subnet, public IPv4 IP addresses do identify you if they are assigned to you.

    Also contrary to the popular belief, NAT can be used with IPv6 exactly as it is used now with IPv4 to hide private range addresses behind a public IP address. I have done such a set up with FreeBSD and PF just for seeing if it works. Not sure if pfSense supports such setup directly yet but it should be perfectly doable.


  • Rebel Alliance Developer Netgate

    What the ISP does is purely up to them. If they do proper egress/ingress filtering, then any attempt to use address space that doesn't belong to you won't make it into or out of their network.

    Cable ISPs have similar issues with DHCP now and they have tricks on their end to match up traffic with specific MAC addresses to ensure things are sourced properly. It won't be much if any different on IPv6. Delegated prefixes will be associated with your MAC address. If the traffic arrives from an unexpected source, it would be dropped.

    But if your ISP isn't doing the proper filtering on their end… who knows what it might do. The return traffic would not reach you, but you could send the packets out, essentially spoofing someone else's network. Some DoS attacks rely on that behavior.



  • @kpa:

    With IPv6 if you're not necessarily given your own /64 subnet. If you're just a standard home user you'll be given a random IPv6 address from the pool of addresses using SLAAC or DHCPv6 that only identifies the ISP's network, pretty much in the same way as you are now given a random IPv4 address with DHCP. If you do request a /64 then of course you're identifiable via the addresses, there's no way around it. It's of course already the same if you request a routed IPv4 subnet, public IPv4 IP addresses do identify you if they are assigned to you.

    This is the first I had heard this, I had read somewhere that ISP's assign customers a specific range. I have a feeling I won't really understand what our ISP will do until I enable IPv6 on the firewall.

    @kpa:

    Also contrary to the popular belief, NAT can be used with IPv6 exactly as it is used now with IPv4 to hide private range addresses behind a public IP address. I have done such a set up with FreeBSD and PF just for seeing if it works. Not sure if pfSense supports such setup directly yet but it should be perfectly doable.

    This is also news to me.  What are the "private" IPv6 ranges?  Just the private IPv4 192.168/16 and 10/8 ranges mapped to IPv6 format?


  • Rebel Alliance Developer Netgate

    @pfSensible:

    This is the first I had heard this, I had read somewhere that ISP's assign customers a specific range. I have a feeling I won't really understand what our ISP will do until I enable IPv6 on the firewall.

    There are several deployment mechanisms there won't be a way to know until your ISP does pick one and starts rolling it out.  Some might be a static assigned block, others could be dynamic.

    @pfSensible:

    This is also news to me.  What are the "private" IPv6 ranges?  Just the private IPv4 192.168/16 and 10/8 ranges mapped to IPv6 format?

    fc00::/7

    http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

    EDIT: Wrong subnet/link…. E_UNCAFFINATED



  • @jimp:

    What the ISP does is purely up to them. If they do proper egress/ingress filtering, then any attempt to use address space that doesn't belong to you won't make it into or out of their network.

    Cable ISPs have similar issues with DHCP now and they have tricks on their end to match up traffic with specific MAC addresses to ensure things are sourced properly. It won't be much if any different on IPv6. Delegated prefixes will be associated with your MAC address. If the traffic arrives from an unexpected source, it would be dropped.

    That does make perfect sense - I suppose the ISP does need a unique ID to route traffic.

    @jimp:

    But if your ISP isn't doing the proper filtering on their end… who knows what it might do. The return traffic would not reach you, but you could send the packets out, essentially spoofing someone else's network. Some DoS attacks rely on that behavior.

    But if they know my IP address and my MAC ID isn't this enough to be able to route the traffic back?

    I inadvertently transformed this thread from curiosity about the legality of "spoofing" someone else's IP address range (and spoofing was not the intention here, it was more just using from behind a NAT firewall) to privacy concerns regarding IPv6.  I need to learn more on IPv6, visit the IPv6 section more.

    Thanks all for your input and help!


  • Rebel Alliance Developer Netgate

    @pfSensible:

    But if they know my IP address and my MAC ID isn't this enough to be able to route the traffic back?

    No. If the IP is not theirs, they wouldn't have routes for it from the Internet at-large. It wouldn't trust the IP on the packet more than its own (or its upstream's) routing information (BGP, tables, etc). They couldn't deliver it back to you unless you also had a subnet in common with them (e.g. and IP in the same subnet as one of their gateways) and even then, since it's not one of their IP addresses, they wouldn't route it back to you anyhow.

    As fragile as the Internet really is, it's not that fragile, or things would be a lot more broken than they already are…