[52704] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that
daemon@ATHENA.MIT.EDU (Barb Dijker)
Tue Oct 8 19:26:38 2002
Date: Tue, 08 Oct 2002 17:26:03 -0600
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
From: Barb Dijker <barb@netrack.net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0210082226370.20194-100000@MrServer>
Errors-To: owner-nanog-outgoing@merit.edu
At 10:34 PM 10/8/02 +0100, Stephen J. Wilcox wrote:
>Not all IP packets require a return, indeed only TCP requires it. It is quite
>possible to send data over the internet on UDP or ICMP with RFC1918 source
>addresses and for their to be no issue. Examples of this might be icmp
>fragments
>or UDP syslog which altho shouldnt according to RFC1918 be on these source
>addresses might be and if you block these on major backbone routes you may
>break
>something.
No. Filtering RFC1918 doesn't break anything. It merely shows you what
was already broken and you didn't know it. If you have a box that is
putting an RFC1918 source address in its packets destined for external
nets, and it doesn't get NAT'd, your net config is broken.
...Barb
