|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Tue, 13 Nov 2007 17:16:58 +0100 From: Phil Regnauld <regnauld@catpipe.net> To: Joe Abley <jabley@ca.afilias.info> Cc: Robert Bonomi <bonomi@mail.r-bonomi.com>, nanog@merit.edu In-Reply-To: <0736D1A7-FE35-4643-B5A8-186680EAF6D9@ca.afilias.info> Errors-To: owner-nanog@merit.edu Joe Abley (jabley) writes: > > You drop the packet at your border before it is sent out to the Internet. > > This is why numbering interfaces in the data path of non-internal traffic is > a bad idea. Unfortunately many providers have the bad habit of using RFC1918 for interconnect, on the basis that a) it saves IPs b) it makes the interconnect "not vulnerable" [1]. > > Packets which are strictly error/status reporting -- e.g. IMP > > 'unreachable', > > 'ttl exceeded', 'redirect', etc. -- should *NOT* be filtered at network > > boundaries _solely_ because of an RFC1918 source address. > > I respectfully disagree. Same here, and even if egress filtering didn't catch it, many inbound filters will. [1] I'v also heard of ISPs having an entire /16 of routable addresses for their interconnect, but they just don't advertise to peers.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |