North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: rfc 1918?
- From: SMcGrath
- Date: Fri Feb 23 09:06:23 2001
Our upstream's use 1918 addresses internally so that 1918 addresses are
constantly bouncing off our filters
we have an aggressive egress filter which makes sure no 1918's leak and
pollute the internet ;-} and filtering on core routers is a suboptimal
solution RFC 1819 addresses (10 points to the person who knows the
predecessor) NEED to be filtered at the border IMHO.
Valdis.Kletnieks@email@example.com on 02/22/2001 10:14:35 PM
Sent by: firstname.lastname@example.org
To: Mark Radabaugh <email@example.com>
cc: North America Network Operators Group Mailing List <firstname.lastname@example.org>
Subject: Re: rfc 1918?
On Thu, 22 Feb 2001 19:12:14 EST, Mark Radabaugh <email@example.com> said:
> At our egress points the filters are fairly short -- they allow only
> with our IP source addresses to leave. This was my interpretation of the
Thank you. The rest of the network appreciates you doing your part.
> Some in this discussion seem to be saying that we should also filter for
> destinations. Am I reading this correctly?
That's probably optional. But if you have the router resources to do it.
every little bit helps. You probably should filter and log it, to find out
why one of your hosts is trying to send to a 1918 address outside your
site - if you're not using 1918 space, it shouldn't happen, and if you ARE
using it, the packet should have ended up inside your net, not on your
In either case, if a packet is trying to leave your net bound for a 1918
destination, something is probably seriously wrong(*).
(*) I'll leave ICMP replies from 1918-addressed P2P links out for the
> I can see that packets destined for RFC1918 addresses will leave our
> (due to default routes) but are promptly dropped at the first BGP
> router they encounter. Is it worth the extra router processing time to
> all outgoing packet destinations as well? I can't see where this extra
> filtering is worth the trouble.
There's 2 main classes of "next router":
1) You don't filter, but it goes to the OTHER end of the link and promptly
gets stomped by a fascist filter that refuses to accept any source address
that's outside the adddress block that's supposed to be at your end.
2) You don't filter, they don't filter either, because they actually USE
1918 space for their own stuff, so your packets wtih 1918 source addresses
and real destination addresses manage to go a LONG way before hitting
anything that will stop them (as the original poster showed, the packets
could actually *arrive* at the destination, with no way to reply).
Remember - this filtering often can't be done on core routers due to
performance issues, so if it doesn't get done at the border routers
it probably won't happen...
Operating Systems Analyst