Who does source address validation? (was Re: what's that smel l?)

• Previous message (by thread): Who does source address validation? (was Re: what's that smell?)
• Next message (by thread): Who does source address validation? (was Re: what's that smel l?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks at vt.edu wrote:
> 
> My personal pet peeve is the opposite - we'll try to use pMTU, some
> provider
> along the way sees fit to run it through a tunnel, so the MTU there is
> 1460
> instead of 1500 - and the chuckleheads number the tunnel endpoints out
> of
> 1918 space - so the 'ICMP Frag Needed' gets tossed at our border
> routers,
> because we do both ingress and egress filtering.  
That's not terribly hard to overcome - allow icmp unreachables (from any 
source) in your acl,  then deny all traffic from RFC 1918 addresses, 
then the rest of the ACL.

Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up 
with all the functionality, and almost none of the bogus traffic.

• Previous message (by thread): Who does source address validation? (was Re: what's that smell?)
• Next message (by thread): Who does source address validation? (was Re: what's that smel l?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]