[67701] in North American Network Operators' Group
Re: Clueless service restrictions (was RE: Anti-spam System Idea)
daemon@ATHENA.MIT.EDU (John Kristoff)
Tue Feb 17 18:00:43 2004
Date: Tue, 17 Feb 2004 16:59:58 -0600
From: John Kristoff <jtk@northwestern.edu>
To: nanog@merit.edu
In-Reply-To: <451737404.1077054498@[192.168.100.25]>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 17 Feb 2004 21:48:18 +0000
Alex Bligh <alex@alex.org.uk> wrote:
> a) Some forms of filtering, which do occasionally prevent the customer
> from using their target application, are in general good, as the
> operational (see, on topic) impact of *not* applying tends to be
> worse than the disruption of applying them. Examples: source IP
> filtering on ingress, BGP route filtering. Both of these are known
> to break harmless applications. I would suggest both are good things.
There are some potential applications that these can break also. For
example, a distributed application that sends out probes might wish to
use the source IP address of a remote collector that is used to measure
time delay or network path information. If Lumeta could have tunnels
to a bunch of hosts, send traceroutes to various Internet places through
those tunnels and have the tunneled hosts use Lumeta's IP as the source
IP, they could build a pretty cool distributed peacock map.
It is of course difficult to find a way to use these legitimate types of
apps today without the infrastructure succumbing to attacks such as the
source spoofed DoS traffic floods.
John
