|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
On Wed, 9 Oct 2002, Joe Abley wrote: > > > On Wednesday, Oct 9, 2002, at 11:36 Canada/Eastern, Stephen J. Wilcox > wrote: > > > On Tue, 8 Oct 2002, Greg A. Woods wrote: > > > >> Such things REALLY _NEEED_ to be broken, and the sooner the better as > >> then perhaps the offenders will fix such things sooner too, because > >> they > >> are by definition already broken and in violation of RFC 1918 and good > >> common sense. > > > > Ok but real world calling. I have tried this and when customers find > > something > > doesnt work on your network but it does on your competitor you make it > > work even > > if that means breaking rules. > > What services require transport of packets with RFC1918 source > addresses across the public network? None afaik which is why they should be blocked - on ingress from customer links. Dont get me wrong, I'm just sharing experience not ethics and saying we should all adhere to the RFC but if you apply filters that assume others are also doing so you may be surprised.. Without repeating myself or list archives its all very well strictly following all the RFC guidelines and saying to tell the planet its Microsoft or @Home's fault its not working but the customers really dont buy it and they will go elsewhere and it mightnt be about corporate $$$s but those same $$$s pay your wages and then it starts to hurt! > I can think of esoteric examples of things it would be possible to do, > but nothing that a real-world user might need (or have occasion to > complain about). On a related issue (pMTU) I recently discovered that using a link with MTU < 1500 breaks a massive chunk of the net - specifically mail and webservers who block all inbound icmp.. the servers assume 1500, send out the packets with DF set, they hit the link generating an icmp frag, icmp is filtered and data stops. Culprits included several major ISP/Telcos ... I'd love to tell the customer the link is fine its the rest of the Internet at fault but in the end I just forced the DF bit clear as a temp workaround before finally swapping out to MTU 1500! > Do you have experience of such breakage from your own customers? It > would be interesting to hear details. I did attempt strict ingress filtering at borders after a DoS some time ago, I figured I'd disallow any non public addresses. I took it off within a day after a number of customers found a whole bunch of things had stopped working... Unfortunately I cant give you an example as this was a while back and I dont have the details to hand. But if anyone with an appreciable sized customer base wants to try implementing such filters feel free to forward the customer issues to the list as references! Steve
|