private ip addresses from ISP
Richard A Steenbergen
ras at e-gerbil.net
Tue May 23 17:14:46 UTC 2006
On Tue, May 23, 2006 at 12:23:54PM -0400, Patrick W. Gilmore wrote:
>
> I know it was late when you wrote that, RAS, but from the
> _very_first_sentence_:
Er yeah I meant to say it says nothing about filtering 1918 packets.
> Please read BCP38 again. (For the first time? :)
Clearly allowing anyone to inject large quantities of spoofed packets into
the Internet is Bad (tm), no one is arguing that. First of all note that I
was talking about how you deal with packets you receive, not packets you
send. Hate to bust out the old "be conservative in what you send and
liberal in what you receive" line, but in this case it is true. There are
legitimate uses for RFC1918 sourced packets (as has been pointed out many
times, for example, ICMP responses from people who want/need their routers
to not source packets from publicly routed space).
Filtering every last 1918 sourced packet you receive because it might have
a DoS is like filtering all ICMP because people can ping flood. If you
want to rate limit it, that is reasonable. If you want to restrict it to
ICMP responses only, that is also reasonable. If on the other hand you are
determined to filter every 1918 sourced packets between AS boundries
(including ttl exceed, mtu exceed, and dest unreachable) because an RFC
told you you "should", you are actually doing your customers a disservice.
If you are an end-user network or don't transit other people's packets and
you want to do yourself a disservice then by all means filter 1918 sourced
packets until you are blue in the face. If on the other hand you do handle
other people's packets, I would encourage you to fully consider the
ramifications before you go out and apply those filters. This is why k00ks
who can only cite RFC's instead of think for themselves and large networks
tend to be a bad mix. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list