North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Martian list of IP's to block???

  • From: Joe Abley
  • Date: Sat Oct 02 08:17:52 1999

On Fri, Oct 01, 1999 at 08:02:23AM -0400, [email protected] wrote:
>     deny   ip any log
>     deny   ip any log
>     deny   ip any log

These three clauses will block things like ICMP would-fragment and
ttl-expired messages, in the event that some transitory bit of network
between your customer and someone else's customer is numbered using
RFC1918 address space (and causes such messages to be sent).

I know of several networks which use RFC1918 addresses like this,
in the belief that since the elements with these numbers never
need to receive a packet from anybody outside the operator's network,
there is no need for the numbers to be globally unique.

In my opinion, such RFC1918 visibility in the public network is
misguided, and half of the disruption to service caused by rules
like those above could be considered just punishment.

Trouble is, the other half of the disruption is for your customers,
and you know who they're going to blame if they can't reach their
favourite repository of huge flesh-tone jpegs.

Operational content: does anybody actually block packets inbound
from off-net, in the case where they are sourced from an RFC1918
address? If so, do your customers complain?