|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco says attacks are due to operational practices
Sean Donelan wrote: > > On Thu, 10 February 2000, Paul Ferguson wrote: > > Excuse me, but can you please tell me what "application" a downstream > > customer might be running which originates packets for traffic with > > source addresses which they are not advertising (or you are advertising > > for them)? > > The usual example given is Hughes DirectPC, which sends packets with > a source address of the satellite link via a dialup ISP connection. This is the same concept used in the original Mobile IP designs. They expected the Internet would only ever look at destination IP address when forwarding packets. When we wrote RFC 2267, this issue was raised. As a result, Mobile IP folks had to look at tunneling the return traffic. The right answer for DirectPC is the same. Tunnel the traffic so that it's on valid IP addresses. Using inappropriate source IP addresses for the network you're on is just not going to fly. We have the technology to deal with it. In the multihomed case, the upstream providers should be made aware, either via a BGP advertisement or telephone call or whatever. Blindly allowing all traffic from a multihomed customer isn't likely to be a good plan in the long run. -- ----------------------------------------------------------------- Daniel Senie [email protected] Amaranth Networks Inc. http://www.amaranthnetworks.com
|