North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Actions to quiet the Smurf amplifiers?

  • From: Phil Howard
  • Date: Wed Oct 21 17:49:58 1998 
> The reverse-path check is best applied at the CPE router or the access
> router, not in your backbone. If you end up with asymmetric routing (a
> common occurrence these days) there may not be a reverse path for that
> packet you just got from your neighbor and (plop) a valid packet (or
> thousand) get dropped when they should not have been.

The assymetric routing I've seen is generally outside of our network, e.g.
BGP inconsistency where our traffic to www.otherisp.com goes one way and
their traffic to us comes in another.  Even then we do have BOTH routes
to them most of the time, using only a preferred one.

But within our own network, I strive to make sure there are no asymmetric
routes anywhere.


> I also don't think it's such a hot idea to be universally filtering
> "n.n.n.255" without explicit prior knowledge of the netmask of the network
> involved. Apple Computer, for example, used a 14 bit subnet mask on net 17
> and we used every address in the 10-bit host space that was available to
> use with that scheme, including the three where the last octet is 255. Make
> certain that all your customers know that you're doing this - otherwise
> they may be puzzling over why connectivity works from every address in
> their net number, except for one or two...

We filter n.n.n.255 on incoming only, not on outgoing.  That's safe for us
to do because none of our subnets are larger than /24.  We have only one
customer with more than a /24 and their network is all subnetted with lots
of smaller than /26 anyway.  All space allocations to customers go through
me and I will be checking out anything larger than /24 for certain reasons
other than n.n.n.255.

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --