Why is tracert showing a private IP address right after my router, even though it has a public IP?

Question

Here is a log of tracert superuser.com from my computer:

Tracing route to superuser.com [198.252.206.16]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    11 ms    17 ms     9 ms  10.216.128.1 
  3    12 ms    17 ms    14 ms  89-75-22-81.infra.chello.pl [89.75.22.81] 
  4    23 ms    17 ms    17 ms  84.116.192.102 
  5    18 ms    18 ms    15 ms  pl-krk01a-rd4-ae0-2183.aorta.net [84.116.253.70] 
  6    20 ms    16 ms    15 ms  pl-waw04a-rd1-ae12-2158.aorta.net [84.116.252.225] 
  7    15 ms    15 ms    15 ms  84.116.135.225 
  8    17 ms    19 ms    24 ms  henet.plix.pl [195.182.218.197] 
  9    34 ms    44 ms    49 ms  10ge1-2.core1.prg1.he.net [184.105.213.241] 
 10    33 ms    44 ms    34 ms  10ge15-3.core1.fra1.he.net [184.105.213.233] 
 11    45 ms    51 ms    48 ms  100ge5-2.core1.par2.he.net [72.52.92.13] 
 12   161 ms   163 ms   156 ms  10ge15-1.core1.ash1.he.net [184.105.213.93] 
 13   131 ms   124 ms   124 ms  100ge7-1.core1.nyc4.he.net [184.105.223.166] 
 14   121 ms   121 ms   121 ms  10ge4-1.core1.nyc5.he.net [184.105.213.218] 
 15   122 ms   120 ms   121 ms  lightower-fiber-networks.10gigabitethernet3-2.core1.nyc5.he.net [216.66.50.106] 
 16   122 ms   123 ms   121 ms  ae12.nycmnyzrj91.lightower.net [64.72.64.110] 
 17   122 ms   120 ms   122 ms  ae2-jrcynj67j41.lightower.net [72.22.160.175] 
 18   123 ms   123 ms   122 ms  69.46.229.98.lightower.net [69.46.229.98] 
 19   124 ms   123 ms   123 ms  stackoverflow.com [198.252.206.16] 

Trace complete.

The first entry (192.168.1.1) is my router, which does not surprise me. What is weird is the second entry, 10.216.128.1, which shows even when doing the traceroute from my router or when the computer is directly connected to the internet. My router has a public IP — is my ISP violating the IP standard? Would such configuration prevent me from using the 10.216.128.x range in my own network?

There is a diagram in an answer to a related question which does not really answer mine — my router knows nothing of the 10.216.128.x network, and the hop shows even when tracerting another hosts on its subnet, which the router should theoretically be able to contact directly:

Tracing route to 89-66-132-2.dynamic.chello.pl [89.66.132.2]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    27 ms    11 ms    10 ms  10.216.128.1 
  3    18 ms    21 ms    18 ms  89-66-132-2.dynamic.chello.pl [89.66.132.2] 

Trace complete.

What is funny is that this private IP does not show up when tracerting the gateway:

Tracing route to 89-66-132-1.dynamic.chello.pl [89.66.132.1]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  192.168.1.1 
  2    10 ms    11 ms    11 ms  89-66-132-1.dynamic.chello.pl [89.66.132.1] 

Trace complete.

while tracerting an address which is not even in the same network it shows up again, while the gateway seemingly disappears:

Tracing route to 89-69-109-1.dynamic.chello.pl [89.69.109.1]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  192.168.1.1 
  2    12 ms    14 ms    12 ms  10.216.128.1 
  3    16 ms    15 ms    21 ms  89-69-109-1.dynamic.chello.pl [89.69.109.1] 

Trace complete.

Answer 1

The line 89-75-22-81.infra.chello.pl at the top of the traceroute suggests you are using a cable connection. Chello is a brand formerly used by UPC, a cable internet service provider. The appearance of an IP address in a private range immediately after your local network is normal for cable connections.

The address 10.216.128.1 belongs to a cable modem termination system (CMTS). It is sometimes referred to as a Universal Broadband Router (uBR), though I believe that is exclusively a Cisco term. Its function is roughly equivalent to that of your cable modem. Only part of your internet connection runs via the coaxial cable between you and your ISP. At home, your cable modem translates between coax interfaces on one side and ethernet interfaces on the other. In the same way, your provider hooks up the coax cables to the rest of their infrastructure via a CMTS. The main difference between the two pieces of equipment is that a single CMTS often serves thousands of cable modems. Even the tiny Cisco uBR7100 below can handle up to 2000 clients.

The subscriber side of a CMTS is basically a dead end in the infrastructure and does not need to be available to anyone but the subscribers. It is therefore very practical for it to have an IP address in a private range, which is what you're seeing by executing a traceroute from your machine. This again is equivalent to your modem/router at home, which will have both a private and a public address. The private one appears on your traceroute: 192.168.1.1.

A trace to your address does not show 192.168.1.1 at the end, even though in both cases it is the same device responding.

15    40 ms    39 ms    39 ms  84.116.192.101
16    37 ms    37 ms    39 ms  89-75-22-82.infra.chello.pl [89.75.22.82]
17    45 ms    48 ms    45 ms  89-66-132-177.dynamic.chello.pl [89.66.132.177]

Trace complete.

Based on these traces, I've drafted the diagram below to visualise the network.

Click to enlarge.

For the purpose of explaining the nuts and bolts of your connection to the internet, it is unfortunate that the CMTS does not decrease the packet's time to live in both directions (when the TTL runs out, hosts return an error message to the source, which is how traceroute compiles its list). This is not uncommon; like ordinary network switches, CMTSs operate on layer 2 of the OSI model, but not all CMTSs are configured this way. For example, a trace to me would list the following as the last hop before the destination (note the descriptive 'ubr' in the hostname):

213.51.138.75    emn-rc0001-ubr014-te3-0-0-202.core.as9143.net

Network-tools.com has a useful tool for executing a trace to yourself from elsewhere on the internet.

I've never actually worked with these kinds of systems, so my understanding of the subject is quite limited. Nevertheless, I hope I've been able to shed some light on why a private range IP address appears in your traces and what its purpose is.

Answer 2

A traceroute works by sending packets, each with an increasing TTL (hop limit). Whenever the hop limit is reached the last router will send back an error message telling you about this. The IP addresses you see in a traceroute are what that router uses as its source address in the error message. Although both you and your final destination have public IP addresses it is perfectly possible for a router in between to use a private address when sending its error message.

There can be multiple reasons for this. One is that there is a link between two routers on the path that uses private addresses. That is not a problem. Another reason can be that one of the routers uses a private address as source address for these error messages even though it has a non-private address available as well. (Remember that the difference between public and private addresses is only in our heads. Technically they are both just addresses)

In your case I am guessing it is a combination of the following:

• you are sending all traffic (even to the local subnet) through the default gateway
• when doing a traceroute to that default gateway it is the final destination so the trace ends
• when doing a traceroute to another destination the gateway will forward the packet but use a private address as source for error messages

If not this then the ISP might be doing something special routing/bridging. That can happen on e.g. cable networks.

Answer 3

If the time of the hop is more than the following hop, for example:

• address 1 102.34.56.72 1 ms
• address 2 (private) 10.2.45.23 3 ms
• address 3 102.34.56.72 1 ms
• address 4 178.23.34.88 2 ms

Then I would suspect a man-in-the-middle (spoof), especially if the end addresses in the trace return a no response. Usually, in a spoof attack, the address hop return time after the (spoof) private address, will begin over.