ingress filtering and multiple Internet conenctions
jgreco at ns.sol.net
Sun Oct 25 23:58:32 UTC 2009
> Joe Greco wrote:
> > There's a problem: I can validly emit a variety of other addresses, in
> > particular any address in 126.96.36.199/20 and some other networks. I am
> > not "forging" packets if I emit 188.8.131.52/20-sourced addresses down a
> > Comcast pipe.
> > How many people realistically have this problem? Well, potentially,
> > lots. Anyone who uses a VPN could have a legitimate IP address on their
> > machine; because of BCP38 (and other security policy) it is common
> > for a VPN setup to forward Internet-bound traffic back to the VPN
> > server rather than directly out the Internet. In some cases, one could
> > reasonably argue that this is undesirable.
> I would like to take the opportunity to urge vendors of routers and
> firewalls to take extra special care and attention to make sure that The
> Right Thing can always happen whenever multiple egress services are
> This means that policy routing for network AND ALL locally generated
> traffic should be available and work as the operator intends it to.
> Right now things still suck pretty hard, depending on what you are using.
Who defines what "The Right Thing" is?
Allowing (what are to the service provider) random IP's inbound, even
if there's some mechanism to limit it, means that the ISP now has some
additional responsibilities to be able to transport packets for space
that isn't theirs; a transit upstream or peer might filter, especially
for smaller service providers.
Basically, allowing this dooms BCP38.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG