|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: dsl providers that will route /24
> > Subject: RE: dsl providers that will route /24 > > > > > > That definition, if you really mean it, would make nearly > > every packet on > > the Internet spoofed. Sooner or later, pretty much every packet winds > > up > > coming into a router with a source not assigned to the customer > > on the other > > end of that link. > > think edge man, EDGE! This 'edge' is potentially mythical. Most circuts go to both machines and customers. Ultimately, the edge is the source machine. > > I prefer a much more useful definition of "spoofed". A > > packet is said to be > > spoofed if it is introduced onto the Internet and originated on > > a machine > > whose administration has not been assigned that IP address for > > use on the > > Internet. > And that's different from my definition, how? You say "machine", I say > "link". Which part of that picture does the average ISP have control > over? Well that's the problem. Further up the line, you can't tell where a packet 'really' originated. > > I'd love to hear your explanation of why a unidirectional VPN is a > > configuration error. > Your VPN is tunnelled and encrypted, no? > (BTW, "unidirectional VPN" is an oxymoron -- a net does not go one way) 'Unidirectional VPN' is not an oxymoron. A VPN emulates a private pipe by using a public network. A unidirectional VPN emulates a unidirectional private pipe using a public network. Sometimes, that's all you need. For example, suppose you have two offices that each have a /24 from different ISPs. You have no private link between them. For some reason, you need to have a machine at one location with an IP address from the 'wrong' /24. What you'd like to have is a private network between them. Since you don't have one, you use a virtual private network. Obviously, inbound packets to this IP will arrive at the 'wrong' place, so you need to tunnel them to the right place. However, outbound packets have both source and destination addresses that are valid on the public Internet. You could tunnel them, but that would result in increased bandwidth consumption and gain you basically nothing. DS
|