|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: dsl providers that will route /24
On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said: > The problem is, the filter will block legitimate traffic. IP does not > provide any sure way to tell a spoofed packet from an unspoofed packet. Hmm.. if I *know* that my customer has a single-homed /24, and I see a packet come in from his /24 that has a source address outside that /24, there's a *pretty* *good* chance that something squirrely is going on. But we *know* that this crowd is a "tough room" - we just *had* a flame fest regarding filtering RFC1918 addresses. So I won't go there again. ;) > Do an informal survey. Ask network operators who ingress filter whether > they log and investigate packets that hit the filter. I will bet you that > more than 2/3 say they don't. In other words, the filter substitutes for And a survey of DNS servers quite recently showed that 16% still haven't upgraded to non-hackable versions of BIND. A lot of people drive without seat belts too. Just because 2/3 of a group do something doesn't mean it's a good idea. Valdis Kletnieks Operating Systems Analyst Virginia Tech
|