[sgjohnson]

Private address ranges doesn’t make a network private. Firewall does.

If I know the external, publicly addressable IP address of your router (e.g. 135.77.9.106), and no firewall whatsoever, there’s nothing at all preventing me from doing `ip route add 10.0.0.0/8 135.77.9.106`, and voila, I’d have a route to your “private” network.

Using private addresses vs globally unique offers no security benefiy whatsoever.

[greyface-]

> If I know the external, publicly addressable IP address of your router (e.g. 135.77.9.106), and no firewall whatsoever, there’s nothing at all preventing me from doing `ip route add 10.0.0.0/8 135.77.9.106`, and voila, I’d have a route to your “private” network.

This only works if you are on the same L2 segment as 135.77.9.106, or control and install this route on every router between you and it. Otherwise, 10/8 will get routed to the next hop for 135.77.9.106, i.e. your local gateway, which won't know anything about the intended 135.77.9.106 destination and will route it normally (which likely means dropping it).

It's true that firewall rules should be in place to prevent this attack from your direct neighbors, but it's not possible to perform it over multiple hops that you don't control.

[Shadowmist]

It only takes one, but most likely all the routers in between your network and the remote private network already drop the Martian packets, and you don’t have an interface directly connected to the remote private network, so the route you have configured would not work.