dsl providers that will route /24
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Mar 28 04:10:17 UTC 2001
On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
> The problem is, the filter will block legitimate traffic. IP does not
> provide any sure way to tell a spoofed packet from an unspoofed packet.
Hmm.. if I *know* that my customer has a single-homed /24, and I see a
packet come in from his /24 that has a source address outside that /24,
there's a *pretty* *good* chance that something squirrely is going on.
But we *know* that this crowd is a "tough room" - we just *had* a flame
fest regarding filtering RFC1918 addresses. So I won't go there again. ;)
> Do an informal survey. Ask network operators who ingress filter whether
> they log and investigate packets that hit the filter. I will bet you that
> more than 2/3 say they don't. In other words, the filter substitutes for
And a survey of DNS servers quite recently showed that 16% still haven't
upgraded to non-hackable versions of BIND. A lot of people drive without
seat belts too. Just because 2/3 of a group do something doesn't mean
it's a good idea.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
More information about the NANOG
mailing list