[36144] in North American Network Operators' Group
Re: dsl providers that will route /24
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Mar 27 23:13:47 2001
Message-Id: <200103280410.f2S4AHA14253@foo-bar-baz.cc.vt.edu>
To: David Schwartz <davids@webmaster.com>
Cc: nanog@nanog.org
In-reply-to: Your message of "Tue, 27 Mar 2001 15:18:08 PST."
<NCBBLIEPOCNJOAEKBEAKGEOGOAAA.davids@webmaster.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 27 Mar 2001 23:10:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
> The problem is, the filter will block legitimate traffic. IP does not
> provide any sure way to tell a spoofed packet from an unspoofed packet.
Hmm.. if I *know* that my customer has a single-homed /24, and I see a
packet come in from his /24 that has a source address outside that /24,
there's a *pretty* *good* chance that something squirrely is going on.
But we *know* that this crowd is a "tough room" - we just *had* a flame
fest regarding filtering RFC1918 addresses. So I won't go there again. ;)
> Do an informal survey. Ask network operators who ingress filter whether
> they log and investigate packets that hit the filter. I will bet you that
> more than 2/3 say they don't. In other words, the filter substitutes for
And a survey of DNS servers quite recently showed that 16% still haven't
upgraded to non-hackable versions of BIND. A lot of people drive without
seat belts too. Just because 2/3 of a group do something doesn't mean
it's a good idea.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
