ingress filtering and multiple Internet conenctions

Owen DeLong owen at delong.com
Sun Oct 25 22:51:13 CDT 2009


On Oct 25, 2009, at 4:05 PM, Joe Maimon wrote:

>
>
> Joe Greco wrote:
>
>> There's a problem:  I can validly emit a variety of other  
>> addresses, in
>> particular any address in 206.55.64.0/20 and some other networks.   
>> I am
>> not "forging" packets if I emit 206.55.64.0/20-sourced addresses  
>> down a
>> Comcast pipe.
>> How many people realistically have this problem?  Well, potentially,
>> lots.  Anyone who uses a VPN could have a legitimate IP address on  
>> their
>> machine; because of BCP38 (and other security policy) it is common
>> for a VPN setup to forward Internet-bound traffic back to the VPN
>> server rather than directly out the Internet.  In some cases, one  
>> could
>> reasonably argue that this is undesirable.
>
>
> I would like to take the opportunity to urge vendors of routers and  
> firewalls to take extra special care and attention to make sure that  
> The Right Thing can always happen whenever multiple egress services  
> are employed.
>
> This means that policy routing for network AND ALL locally generated  
> traffic should be available and work as the operator intends it to.
>
This includes the ability to turn OFF stateful inspection in all cases  
if desired, and, full ability to
support asymmetrical (or Triangle) routing in cases where it is desired.

Also, not breaking PMTU-D would be good.

> Right now things still suck pretty hard, depending on what you are  
> using.
>
Indeed.

Owen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2105 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091025/9d344a02/attachment.bin>


More information about the NANOG mailing list