[50781] in North American Network Operators' Group
Re: NSPs filter?
daemon@ATHENA.MIT.EDU (David Schwartz)
Thu Aug 8 20:58:03 2002
From: David Schwartz <davids@webmaster.com>
To: <stuart@tech.org>, <sal_sabella@hushmail.com>
Cc: <nanog@merit.edu>
Date: Thu, 8 Aug 2002 17:57:35 -0700
In-Reply-To: <200208080107.g7817bb71869@lo.tech.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 07 Aug 2002 18:07:37 -0700, Stephen Stuart wrote:
>>>Would you care to take a shot at answering my question, or is
>>>contributing productively too much to ask?
>>My employer believes against filtering on source or=
destination.
>Are you at liberty to share that reason for that? If you know=
that the
>source address is bogus (for whatever reason, RFC1918 source=
address
>is my favorite example), why not act on the fact that it is=
bogus? Is
>it economic - are you collecting revenue for that traffic? Do=
you
>believe that the router's performance or stability are=
adversely
>affected by restricting the traffic that you pass in any=
manner?
>
>Stephen
=09One thing that sometimes comes up is that people do number links=
using
RFC1918 address space which occasionally results in an ICMP=
'fragmentation
needed but DF bit set' packet with an RFC1918 source address.=
Filtering out
this packet could result in TCP breaking.
=09Of course people shouldn't do that, but solutions of the form=
"make
everybody else fix it" aren't as useful as solutions of the form=
"you fix it
this particular way".
=09IMO, this is the only justification for not filtering RFC1918=
and it's
marginal at best. Personally, if a packet doesn't identify where=
it's
actually from, I don't want it on my network.
=09DS
