private ip addresses from ISP
Patrick W. Gilmore
patrick at ianai.net
Tue May 23 17:41:34 UTC 2006
On May 23, 2006, at 1:14 PM, Richard A Steenbergen wrote:
> Filtering every last 1918 sourced packet you receive because it
> might have
> a DoS is like filtering all ICMP because people can ping flood. If you
> want to rate limit it, that is reasonable. If you want to restrict
> it to
> ICMP responses only, that is also reasonable. If on the other hand
> you are
> determined to filter every 1918 sourced packets between AS boundries
> (including ttl exceed, mtu exceed, and dest unreachable) because an
> told you you "should", you are actually doing your customers a
> If you are an end-user network or don't transit other people's
> packets and
> you want to do yourself a disservice then by all means filter 1918
> packets until you are blue in the face. If on the other hand you do
> other people's packets, I would encourage you to fully consider the
> ramifications before you go out and apply those filters. This is
> why k00ks
> who can only cite RFC's instead of think for themselves and large
> tend to be a bad mix. :)
No one is arguing that you should ruin your business because an RFC
told you to. (At least no one reasonable.) However, in your first
post you said:
> If you're receiving RFC1918 sourced packets, for the
> most part you really shouldn't care. There are semi-legitimate
> reasons for
> packets with those sources addresses to float around the Internet, and
> they don't hurt anything.
I disagree. As do many people. You -should- care when people do bad
things. And passing bogon-source packets between ASes is a Bad Thing.
You suggest thwacking people "over the head with a cluebat" when they
send you 1918 prefixes. Is that really a problem? It's easy to
filter (as everyone should be doing already), and doesn't really
'break' anything. So why the vehemence? Because it is a Bad Thing.
And the Internet doesn't work if everyone does Bad Things. As a
result, you get upset when people do Bad Things.
But, as you point out, sometimes customers are stupid. So sometimes
you have to do things that upset you. You get paid for connectivity,
and customers don't understand why certain actions hurt the Internet.
For instance, I get pissed when someone sends 256 /24s instead of
one /16. But that doesn't mean I suggest filtering all 256 /24s.
Customers would get pissed if they can't reach their fav pr0n server
in that /16. Similarly, if someone sends you 1918-sourced packets,
you may have to accept them to keep your customers happy. But you
should care. And you should be upset.
Telling people they need to see a shrink for trying to keep the 'Net
clean is not the correct response.
More information about the NANOG