nanog mailing list archives
Re: private ip addresses from ISP
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Tue, 23 May 2006 13:14:46 -0400
On Tue, May 23, 2006 at 12:23:54PM -0400, Patrick W. Gilmore wrote:
I know it was late when you wrote that, RAS, but from the _very_first_sentence_:
Er yeah I meant to say it says nothing about filtering 1918 packets.
Please read BCP38 again. (For the first time? :)
Clearly allowing anyone to inject large quantities of spoofed packets into the Internet is Bad (tm), no one is arguing that. First of all note that I was talking about how you deal with packets you receive, not packets you send. Hate to bust out the old "be conservative in what you send and liberal in what you receive" line, but in this case it is true. There are legitimate uses for RFC1918 sourced packets (as has been pointed out many times, for example, ICMP responses from people who want/need their routers to not source packets from publicly routed space). Filtering every last 1918 sourced packet you receive because it might have a DoS is like filtering all ICMP because people can ping flood. If you want to rate limit it, that is reasonable. If you want to restrict it to ICMP responses only, that is also reasonable. If on the other hand you are determined to filter every 1918 sourced packets between AS boundries (including ttl exceed, mtu exceed, and dest unreachable) because an RFC told you you "should", you are actually doing your customers a disservice. If you are an end-user network or don't transit other people's packets and you want to do yourself a disservice then by all means filter 1918 sourced packets until you are blue in the face. If on the other hand you do handle other people's packets, I would encourage you to fully consider the ramifications before you go out and apply those filters. This is why k00ks who can only cite RFC's instead of think for themselves and large networks tend to be a bad mix. :) -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Current thread:
- private ip addresses from ISP adrian kok (May 17)
- RE: private ip addresses from ISP Ivan Groenewald (May 17)
- RIPE IP Anti-Spoofing Task Force (Was: private ip addresses from ISP) Jeroen Massar (May 17)
- RE: private ip addresses from ISP David Schwartz (May 17)
- <Possible follow-ups>
- RE: private ip addresses from ISP Andrew Kirch (May 22)
- Re: private ip addresses from ISP Hyunseog Ryu (May 22)
- Re: private ip addresses from ISP Richard A Steenbergen (May 23)
- Re: private ip addresses from ISP Edward B. DREGER (May 23)
- Re: private ip addresses from ISP Patrick W. Gilmore (May 23)
- Re: private ip addresses from ISP Richard A Steenbergen (May 23)
- Re: private ip addresses from ISP sthaug (May 23)
- Re: private ip addresses from ISP Patrick W. Gilmore (May 23)
- RE: private ip addresses from ISP Ivan Groenewald (May 17)
- Re: private ip addresses from ISP Daniel Senie (May 23)
- RE: private ip addresses from ISP Frank Bulk (May 23)
- Re: private ip addresses from ISP Joe Maimon (May 23)
- RE: private ip addresses from ISP Brian Johnson (May 23)
- Re: private ip addresses from ISP Joe Maimon (May 23)