private ip addresses from ISP

sthaug at sthaug at
Tue May 23 17:38:20 UTC 2006

> Filtering every last 1918 sourced packet you receive because it might have 
> a DoS is like filtering all ICMP because people can ping flood. If you 
> want to rate limit it, that is reasonable. If you want to restrict it to 
> ICMP responses only, that is also reasonable. If on the other hand you are 
> determined to filter every 1918 sourced packets between AS boundries 
> (including ttl exceed, mtu exceed, and dest unreachable) because an RFC 
> told you you "should", you are actually doing your customers a disservice.

Well, some of us happen to disagree. I have been very happy to see that
both at my previous and at my present employer (large SPs by Norwegian
standards), all 1918 traffic is filtered at the borders. We have never
had any trouble from customers because of this, and we certainly intend
to keep the filters. And yes, we have had these filters in place for
several years...

Steinar Haug, Nethelp consulting, sthaug at

More information about the NANOG mailing list