[52748] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu Oct 10 09:14:26 2002
Date: Thu, 10 Oct 2002 15:11:35 +0300
To: Steve Francis <steve@expertcity.com>, Valdis.Kletnieks@vt.edu
From: Hank Nussbacher <hank@att.net.il>
Cc: nanog@merit.edu
In-Reply-To: <3DA51396.3000403@expertcity.com>
Errors-To: owner-nanog-outgoing@merit.edu
At 10:43 PM 09-10-02 -0700, Steve Francis wrote:
>Valdis.Kletnieks@vt.edu wrote:
>>My personal pet peeve is the opposite - we'll try to use pMTU, some
>>provider
>>along the way sees fit to run it through a tunnel, so the MTU there is
>>1460
>>instead of 1500 - and the chuckleheads number the tunnel endpoints out
>>of
>>1918 space - so the 'ICMP Frag Needed' gets tossed at our border
>>routers,
>>because we do both ingress and egress filtering.
>That's not terribly hard to overcome - allow icmp unreachables (from any
>source) in your acl, then deny all traffic from RFC 1918 addresses, then
>the rest of the ACL.
>
>Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with
>all the functionality, and almost none of the bogus traffic.
CAR should not be used to rate-limit but instead use the MQC police command
which basically does the same thing. CAR is not going to be around much
longer and is not being developed anymore:
Have a look at:
http://www.cisco.com/warp/public/105/cbpcar.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmcli2.htm
for more information.
-Hank
