Who does source address validation? (was Re: what's that smel l?)
Hank Nussbacher
hank at att.net.il
Thu Oct 10 12:11:35 UTC 2002
At 10:43 PM 09-10-02 -0700, Steve Francis wrote:
>Valdis.Kletnieks at vt.edu wrote:
>>My personal pet peeve is the opposite - we'll try to use pMTU, some
>>provider
>>along the way sees fit to run it through a tunnel, so the MTU there is
>>1460
>>instead of 1500 - and the chuckleheads number the tunnel endpoints out
>>of
>>1918 space - so the 'ICMP Frag Needed' gets tossed at our border
>>routers,
>>because we do both ingress and egress filtering.
>That's not terribly hard to overcome - allow icmp unreachables (from any
>source) in your acl, then deny all traffic from RFC 1918 addresses, then
>the rest of the ACL.
>
>Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with
>all the functionality, and almost none of the bogus traffic.
CAR should not be used to rate-limit but instead use the MQC police command
which basically does the same thing. CAR is not going to be around much
longer and is not being developed anymore:
Have a look at:
http://www.cisco.com/warp/public/105/cbpcar.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmcli2.htm
for more information.
-Hank
More information about the NANOG
mailing list