[168517] in North American Network Operators' Group
Re: BCP38.info
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Jan 28 16:40:21 2014
To: Jared Mauch <jared@puck.nether.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 28 Jan 2014 16:11:16 -0500."
<D4515961-E456-454D-8461-4D7044CC47A7@puck.nether.net>
Date: Wed, 29 Jan 2014 08:39:53 +1100
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jarad is correct. There is lack of BCP38 filtering in the CPE ASN.
Either the packet has gone
"probe" -> CPE ->(*) recursive server -> "probe"
or
"probe" -> CPE -> recursive server -> CPE ->(*) "probe"
(*) indicates the packet that should have been blocked depending apon
how the NAT worked.
In either case the CPE ASN had failed to check the source address of
a packet. In the first case the source address of the query to the
recursive server. In the second case the source address of the reply
back to the probe after it had been through the NAT process.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
