Another question on rfc1918

Robert E. Seastrom rs at seastrom.com
Fri Nov 23 22:38:06 UTC 2007


"Michael Painter" <tvhawaii at shaka.com> writes:

> michael's colleague writes:
> > Most ISP routers (and I have seen configs for over
> > 1000 of them and only seen source route blocked on less then 10 of these!
> > [1]) do not filter source routing (ie no "no ip source-route" entry). As
> > a result, source routed packets float about the Internet.

There are good reasons to allow source routed packets to pass through
a backbone unfettered; among other things it can facilitate debugging
of routing anomalies by a knowledgeable individual.  ISPs by and large
are in the business of hauling bits around; they are not in the
business of implementing security policy for their customers.  One
which tried was Pilot Network Services Inc.  They are no longer
around.  Victim of .bomb or fundamentally unsound business plan?  We
could conjecture on and on but this isn't the place for that.

On the customer edge (ie, not the service provider's router) one can
implement whatever security policy suits, and live with the
consequences...  good, bad, or indifferent.  My personal opinion is
that 1918 address space is not inherently worse or better than any
other address space out there from which one could suffer an attack,
and though stateful firewalls are a huge help (and equal opportunity
for dropping bogus stuff regardless of src/dst addresses) anyone who
is dependent on a {src_addr, src_port, dst_addr, dst_port, seqnum }
tuple for established connection security ought to wake up and smell
the coffee; it's almost 2008 - get your crypto on.

My $0.02

                                        ---Rob





More information about the NANOG mailing list