ingress filtering and multiple Internet conenctions
owen at delong.com
Sun Oct 25 22:51:13 CDT 2009
On Oct 25, 2009, at 4:05 PM, Joe Maimon wrote:
> Joe Greco wrote:
>> There's a problem: I can validly emit a variety of other
>> addresses, in
>> particular any address in 220.127.116.11/20 and some other networks.
>> I am
>> not "forging" packets if I emit 18.104.22.168/20-sourced addresses
>> down a
>> Comcast pipe.
>> How many people realistically have this problem? Well, potentially,
>> lots. Anyone who uses a VPN could have a legitimate IP address on
>> machine; because of BCP38 (and other security policy) it is common
>> for a VPN setup to forward Internet-bound traffic back to the VPN
>> server rather than directly out the Internet. In some cases, one
>> reasonably argue that this is undesirable.
> I would like to take the opportunity to urge vendors of routers and
> firewalls to take extra special care and attention to make sure that
> The Right Thing can always happen whenever multiple egress services
> are employed.
> This means that policy routing for network AND ALL locally generated
> traffic should be available and work as the operator intends it to.
This includes the ability to turn OFF stateful inspection in all cases
if desired, and, full ability to
support asymmetrical (or Triangle) routing in cases where it is desired.
Also, not breaking PMTU-D would be good.
> Right now things still suck pretty hard, depending on what you are
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2105 bytes
Desc: not available
More information about the NANOG