[50600] in North American Network Operators' Group
Re: NSPs filter?
daemon@ATHENA.MIT.EDU (John M. Brown)
Mon Aug 5 18:12:51 2002
Date: Mon, 5 Aug 2002 15:11:25 -0700
From: "John M. Brown" <jmbrown@ihighway.net>
To: Jared Mauch <jared@puck.Nether.net>
Cc: Stephen Stuart <stuart@tech.org>,
Chris Woodfield <rekoil@semihuman.com>, nanog@merit.edu
In-Reply-To: <20020805150649.GA27358@puck.nether.net>; from jared@puck.Nether.net on Mon, Aug 05, 2002 at 11:06:50AM -0400
Errors-To: owner-nanog-outgoing@merit.edu
But keep in mind that there is a difference between IP Header
Source being RFC-1918, and the payload having a query for
something in RFC-1918 space.
Yes, dropping packets that you have no valid return path for is not
bad.
Dropping queries from your network asking for things in RFC-1918 space
is also good thing (tm)
On Mon, Aug 05, 2002 at 11:06:50AM -0400, Jared Mauch wrote:
>
> On Sun, Aug 04, 2002 at 09:15:26PM -0700, Stephen Stuart wrote:
> > > IMO, Commercial ISPs should never filter customer packets unless
> > > specifically requested to do so by the customer, or in response to a
> > > security/abuse incident.
> >
> > Let's say the customer operates some big enterprise network, runs
> > their infrastructure in RFC1918 space ("for security," hah), and spews
> > a couple kilobits of DNS query from that RFC1918 space toward the root
> > nameservers. Assume that either pride or ignorance will prevent the
> > customer from ever asking you to filter what you know to be garbage
> > traffic. Does your rule to "never filter customer packets" mean you're
> > going to sit and watch those packets go by?
> >
> > If yes, why?
>
> Everyone should turn on either the equivalent of
> the Cisco 'ip verify unicast source reachable-via any' on their
> peer/upstream interfaces as well as to internal and bgp customer
> interfaces that may not be able to be checked with a stricter rpf.
>
> This will drop packets from people that you have no return
> path for in the cef path. I know other vendors either have or should
> have this feature. While it will not stem a true DoS based on real
> ip addresses, zombies, whatnot.. it will stop all the rfc1918 headed
> towards the roots or other space that is not in the global routing table.
>
> if your vendor doesn't have such a knob, i do suggest asking
> them :)
>
> i've seen a lot of traffic get dropped by using such a
> check on interfaces. it is not a large amount compared to
> the overall packets but does reduce what you end up transporting
> and customer support queries about why 10.* is sending them packets.
>
> - jared
>
> --
> Jared Mauch | pgp key available via finger from jared@puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
