source filtering (Re: rfc1918 ignorant)

Jared Mauch jared at puck.Nether.net
Wed Jul 23 14:59:24 UTC 2003


On Wed, Jul 23, 2003 at 02:10:17PM +0100, variable at ednet.co.uk wrote:
> 
> On Wed, 23 Jul 2003, Dave Temkin wrote:
> 
> > Is this really an issue?  So long as they're not advertising the space I
> > see no issue with routing traffic through a 10. network as transit.  If
> > you have no reason to reach their router directly (and after Cisco's last
> > exploit, I'd think no one would want anyone to reach their router directly
> > :-) ), what's the harm done?
> 
> If Frank's seeing the IP in his traceroute then the network concerned 
> isn't properly filtering traffic leaving their borders as per BCP38:
> 
> http://www.faqs.org/rfcs/bcp/bcp38.html

	I think you'll see more and more networks slowly over
time move closer to bcp38.   I believe that AT&T is the only "tier-1"
provider that is in full compliance with this.  I'm sure some
of the smaller providers are as well.  I've been looking at
the "unicast-rpf loose" drops at our edges of our network the past
month off and on and am still surprised at the bitrate of packets that
can not be returned to their sources.  I think it's a simple thing to do
that will insure that you are not carrying all this extra junk traffic
on your network.

	Another perspective here:

	A number of people refuse to answer calls that show up on their
phones as "out of area" or "private".  Why would you answer or trust IP
packets from hosts that are not in the routing table.  While there is no
PKI or similar to check if the packets are authenticated/signed for most
of the network traffic, this does seem like a simple thing to do.  Don't
trust packets if you can't possibly figure out where they are coming from.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the NANOG mailing list