ISP port blocking practice
nanog-post at rsuc.gweep.net
Mon Oct 26 10:03:59 UTC 2009
[tangent of interst for the archives]
On Sat, Oct 24, 2009 at 02:07:42PM -0500, Joe Greco wrote:
> If I'm assigned 184.108.40.206 by Comcast, and Comcast filters my ingress to
> prevent me from emitting other addresses, you claim that's fine because
> it's BCP38.
> There's a problem: I can validly emit a variety of other addresses, in
> particular any address in 220.127.116.11/20 and some other networks. I am
> not "forging" packets if I emit 18.104.22.168/20-sourced addresses down a
> Comcast pipe.
Only in your service agreement allows this. Most folks realized both
- the bad guys figured out this 'triangle routing' ages ago (was common
to send bulk abuse traffic down broadband and receive the ack stream
on dialup Back In The Day) and specificlly disallow it.
- such hacks to attempt multihoming without BGP fail in spectacular
ways nd can't be reled on for any real traffic.
So while you may have an allocation and therefore not be 'forging' by
strict definitions, you are injecting martian traffic as far as the
resi broadband provider is concerned and it should be dropped.
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
More information about the NANOG