ingress filtering and multiple Internet conenctions

• Previous message (by thread): ISP port blocking practice
• Next message (by thread): ingress filtering and multiple Internet conenctions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe Greco wrote:

> 
> There's a problem:  I can validly emit a variety of other addresses, in
> particular any address in 206.55.64.0/20 and some other networks.  I am
> not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a
> Comcast pipe.
> 
> How many people realistically have this problem?  Well, potentially,
> lots.  Anyone who uses a VPN could have a legitimate IP address on their
> machine; because of BCP38 (and other security policy) it is common
> for a VPN setup to forward Internet-bound traffic back to the VPN
> server rather than directly out the Internet.  In some cases, one could
> reasonably argue that this is undesirable.


I would like to take the opportunity to urge vendors of routers and 
firewalls to take extra special care and attention to make sure that The 
Right Thing can always happen whenever multiple egress services are 
employed.

This means that policy routing for network AND ALL locally generated 
traffic should be available and work as the operator intends it to.

Right now things still suck pretty hard, depending on what you are using.


Joe

• Previous message (by thread): ISP port blocking practice
• Next message (by thread): ingress filtering and multiple Internet conenctions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]