North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: David Schwartz
- Date: Tue Mar 27 16:28:18 2001
> On Mon, Mar 26, 2001 at 12:40:45PM -0800, David Schwartz wrote:
> > As for outbound packets, why do they need to take the
> > reverse path? There's
> > no reason the tunnel can't be unidirectional. Even if the ISP
> > is stupid and
> > filters its customers' legitimate traffic, forcing them to
> > encapsulate the
> > outbound packets, the same argument still applies.
> Ummm, s/if the ISP is stupid/if the ISP is doing the right thing/
> You do filter what source addresses your customers can use, don't you?
No, I don't. If I see illegitimate traffic, I block it. If I see suspicious
traffic, I investigate it. But I give my customers the benefit of the doubt.
They pay me for Internet access. That means they can do whatever they want
with the Internet provided it's legal and doesn't impose an undue burden on
anyone else using the Internet. A one-way VPN is a legitimate use and
shouldn't be subject to prior restraint.
On the other hand, if I saw a customer abusing this privilege, I would
definitely *NOT* respond with a filter (except maybe as a stopgap until I
could contact the relvant administrators). The fact is, silently covering
over a problem doesn't help anyone. In specific, it doesn't help my customer
find the problem, which is most likely a root compromise on one of their
It is, IMO, stupid to hide a serious problem with a filter. That won't make
the problem go away. In this instance, the problem is a compromised machine,
a misconfiguration, or a customer who is trying to launch network attacks.
I'm sure we've all heard stories of major network disruptions being caused
by this type of filtering policy. ISP1 filters routes it hears from
CUSTOMER1. So the fact the CUSTOMER1's filters are broken is never noticed.
Then one day, ISP1 accidentally breaks its filters. Boom!
Filtering should be a last resort if there is no other way to accomplish
the desired goal or where small misconfigurations on the other end have the
ability to cause massive damage in a very small amount of time. Filtering
should _never_ be used to hide a real problem unless there is absolutely no
other option. In this case, there are *many* other options.