North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: private ip addresses from ISP

  • From: Patrick W. Gilmore
  • Date: Tue May 23 13:43:21 2006

On May 23, 2006, at 1:14 PM, Richard A Steenbergen wrote:


Filtering every last 1918 sourced packet you receive because it might have
a DoS is like filtering all ICMP because people can ping flood. If you
want to rate limit it, that is reasonable. If you want to restrict it to
ICMP responses only, that is also reasonable. If on the other hand you are
determined to filter every 1918 sourced packets between AS boundries
(including ttl exceed, mtu exceed, and dest unreachable) because an RFC
told you you "should", you are actually doing your customers a disservice.

If you are an end-user network or don't transit other people's packets and
you want to do yourself a disservice then by all means filter 1918 sourced
packets until you are blue in the face. If on the other hand you do handle
other people's packets, I would encourage you to fully consider the
ramifications before you go out and apply those filters. This is why k00ks
who can only cite RFC's instead of think for themselves and large networks
tend to be a bad mix. :)
No one is arguing that you should ruin your business because an RFC told you to. (At least no one reasonable.) However, in your first post you said:

If you're receiving RFC1918 sourced packets, for the
most part you really shouldn't care. There are semi-legitimate reasons for
packets with those sources addresses to float around the Internet, and
they don't hurt anything.
I disagree. As do many people. You -should- care when people do bad things. And passing bogon-source packets between ASes is a Bad Thing.

You suggest thwacking people "over the head with a cluebat" when they send you 1918 prefixes. Is that really a problem? It's easy to filter (as everyone should be doing already), and doesn't really 'break' anything. So why the vehemence? Because it is a Bad Thing. And the Internet doesn't work if everyone does Bad Things. As a result, you get upset when people do Bad Things.

But, as you point out, sometimes customers are stupid. So sometimes you have to do things that upset you. You get paid for connectivity, and customers don't understand why certain actions hurt the Internet.

For instance, I get pissed when someone sends 256 /24s instead of one /16. But that doesn't mean I suggest filtering all 256 /24s. Customers would get pissed if they can't reach their fav pr0n server in that /16. Similarly, if someone sends you 1918-sourced packets, you may have to accept them to keep your customers happy. But you should care. And you should be upset.

Telling people they need to see a shrink for trying to keep the 'Net clean is not the correct response.