North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

  • From: vijay gill
  • Date: Sun Mar 07 21:45:02 2004

On Sun, Mar 07, 2004 at 08:35:54PM +0000, Christopher L. Morrow wrote:
> 
> 
> Here is a sticky point... There are reasons to allow 10.x.x.x sources to
> transit a network. Mostly the reasons come back to 'broken' configurations
> or 'broken' hardware. The reasons still equate to customer calls and
> 'broken' networking fromm their perspective. I think the thing you are
> actually driving at is the 'intent' of the packet, which is quite tough
> for the router to determine.


Putting rubber to the road eventually, we actually went ahead and
packetfiltered rfc1918 space on our edge. I know paul and stephen
will be crowing with joy here, as we had several arguments about
it in previous lives, but having gone ahead and filtered it,
nothing appears to have broken, or at least nothing got called
in. We've been doing it for several months now.

/vijay