North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
source filtering (Re: rfc1918 ignorant)
On Wed, Jul 23, 2003 at 02:10:17PM +0100, [email protected] wrote: > > On Wed, 23 Jul 2003, Dave Temkin wrote: > > > Is this really an issue? So long as they're not advertising the space I > > see no issue with routing traffic through a 10. network as transit. If > > you have no reason to reach their router directly (and after Cisco's last > > exploit, I'd think no one would want anyone to reach their router directly > > :-) ), what's the harm done? > > If Frank's seeing the IP in his traceroute then the network concerned > isn't properly filtering traffic leaving their borders as per BCP38: > > http://www.faqs.org/rfcs/bcp/bcp38.html I think you'll see more and more networks slowly over time move closer to bcp38. I believe that AT&T is the only "tier-1" provider that is in full compliance with this. I'm sure some of the smaller providers are as well. I've been looking at the "unicast-rpf loose" drops at our edges of our network the past month off and on and am still surprised at the bitrate of packets that can not be returned to their sources. I think it's a simple thing to do that will insure that you are not carrying all this extra junk traffic on your network. Another perspective here: A number of people refuse to answer calls that show up on their phones as "out of area" or "private". Why would you answer or trust IP packets from hosts that are not in the routing table. While there is no PKI or similar to check if the packets are authenticated/signed for most of the network traffic, this does seem like a simple thing to do. Don't trust packets if you can't possibly figure out where they are coming from. - Jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.