[35006] in North American Network Operators' Group
RE: rfc 1918 (why filtering is a good idea for non-transit organi
daemon@ATHENA.MIT.EDU (Mathew Butler)
Fri Feb 23 10:35:45 2001
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F3B19@mail.tonbu.com>
From: Mathew Butler <mbutler@tonbu.com>
To: "'Stephen J. Wilcox'" <steve@opaltelecom.co.uk>,
Mark Radabaugh <mark@amplex.net>
Cc: North America Network Operators Group Mailing List <nanog@merit.edu>
Date: Fri, 23 Feb 2001 07:25:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C09DAC.DEBFEE70"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C09DAC.DEBFEE70
Content-Type: text/plain;
charset="iso-8859-1"
Actually, if memory serves me correctly (for once), there was a situation
several years ago where a transit provider ran out of bandwidth and started
shunting traffic through a (better-connected) customer's network. If
filtering had been operating properly at that time (if there had been enough
CPU muscle in the routers) as specified below, then this could NOT have
happened -- the customer's network would have recognized the destination IP
as not being within its address range, and filtered it on ingress. (Or, it
could have checked the source IP, and if it wasn't in its address range,
filtered it on egress. My personal opinion is that both are necessary and
desirable, for different reasons.)
-Mat Butler
-----Original Message-----
From: Stephen J. Wilcox [mailto:steve@opaltelecom.co.uk]
Sent: Friday, February 23, 2001 2:19 AM
To: Mark Radabaugh
Cc: North America Network Operators Group Mailing List
Subject: RE: rfc 1918?
This only can apply to small networks, specifically stub networks, if
you're carrying transit or have multiple connections out you'll find
filters which only allow your own ips in and out start dropping a whole
lot else!
But i think you have the right idea, filters should be applied at the
provider edge to such stub networks and then no nasty ips will get through
to the provider network and hence the internet.
Oh, and I dont think I showed my opinion on my last mail, i think use of
1918 on p2p is wrong! But.. as so many large networks do it you cant just
filter it out and assume everything will work.
Steve
On Thu, 22 Feb 2001, Mark Radabaugh wrote:
> It is my intention to avoid having 1918 addresses leaving my network.
>
> At our egress points the filters are fairly short -- they allow only
traffic
> with our IP source addresses to leave. This was my interpretation of the
RFC's.
> Some in this discussion seem to be saying that we should also filter for
RFC1918
> destinations. Am I reading this correctly?
>
> I can see that packets destined for RFC1918 addresses will leave our
network
> (due to default routes) but are promptly dropped at the first BGP speaking
> router they encounter. Is it worth the extra router processing time to
check
> all outgoing packet destinations as well? I can't see where this extra
> filtering is worth the trouble.
>
> Mark Radabaugh
> VP, Amplex
> (419)833-3635
> mark@amplex.net
>
>
>
>
>
------_=_NextPart_001_01C09DAC.DEBFEE70
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: rfc 1918 (why filtering is a good idea for non-transit =
organizations)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Actually, if memory serves me correctly (for once), =
there was a situation several years ago where a transit provider ran =
out of bandwidth and started shunting traffic through a =
(better-connected) customer's network. If filtering had been =
operating properly at that time (if there had been enough CPU muscle in =
the routers) as specified below, then this could NOT have happened -- =
the customer's network would have recognized the destination IP as not =
being within its address range, and filtered it on ingress. (Or, =
it could have checked the source IP, and if it wasn't in its address =
range, filtered it on egress. My personal opinion is that both =
are necessary and desirable, for different reasons.)</FONT></P>
<P><FONT SIZE=3D2>-Mat Butler</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Stephen J. Wilcox [<A =
HREF=3D"mailto:steve@opaltelecom.co.uk">mailto:steve@opaltelecom.co.uk</=
A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, February 23, 2001 2:19 AM</FONT>
<BR><FONT SIZE=3D2>To: Mark Radabaugh</FONT>
<BR><FONT SIZE=3D2>Cc: North America Network Operators Group Mailing =
List</FONT>
<BR><FONT SIZE=3D2>Subject: RE: rfc 1918?</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>This only can apply to small networks, specifically =
stub networks, if</FONT>
<BR><FONT SIZE=3D2>you're carrying transit or have multiple connections =
out you'll find</FONT>
<BR><FONT SIZE=3D2>filters which only allow your own ips in and out =
start dropping a whole</FONT>
<BR><FONT SIZE=3D2>lot else!</FONT>
</P>
<P><FONT SIZE=3D2>But i think you have the right idea, filters should =
be applied at the</FONT>
<BR><FONT SIZE=3D2>provider edge to such stub networks and then no =
nasty ips will get through</FONT>
<BR><FONT SIZE=3D2>to the provider network and hence the =
internet.</FONT>
</P>
<P><FONT SIZE=3D2>Oh, and I dont think I showed my opinion on my last =
mail, i think use of</FONT>
<BR><FONT SIZE=3D2>1918 on p2p is wrong! But.. as so many large =
networks do it you cant just</FONT>
<BR><FONT SIZE=3D2>filter it out and assume everything will =
work.</FONT>
</P>
<P><FONT SIZE=3D2>Steve</FONT>
</P>
<P><FONT SIZE=3D2>On Thu, 22 Feb 2001, Mark Radabaugh wrote:</FONT>
</P>
<P><FONT SIZE=3D2>> It is my intention to avoid having 1918 =
addresses leaving my network.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> At our egress points the filters are fairly =
short -- they allow only traffic</FONT>
<BR><FONT SIZE=3D2>> with our IP source addresses to leave. =
This was my interpretation of the RFC's.</FONT>
<BR><FONT SIZE=3D2>> Some in this discussion seem to be saying that =
we should also filter for RFC1918</FONT>
<BR><FONT SIZE=3D2>> destinations. Am I reading this =
correctly?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I can see that packets destined for =
RFC1918 addresses will leave our network</FONT>
<BR><FONT SIZE=3D2>> (due to default routes) but are promptly =
dropped at the first BGP speaking</FONT>
<BR><FONT SIZE=3D2>> router they encounter. Is it worth the =
extra router processing time to check</FONT>
<BR><FONT SIZE=3D2>> all outgoing packet destinations as well? =
I can't see where this extra</FONT>
<BR><FONT SIZE=3D2>> filtering is worth the trouble.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Mark Radabaugh</FONT>
<BR><FONT SIZE=3D2>> VP, Amplex</FONT>
<BR><FONT SIZE=3D2>> (419)833-3635</FONT>
<BR><FONT SIZE=3D2>> mark@amplex.net</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C09DAC.DEBFEE70--
