North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: David Schwartz
- Date: Wed Mar 28 16:30:45 2001
> On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
> > The problem is, the filter will block legitimate traffic.
> > IP does not
> > provide any sure way to tell a spoofed packet from an unspoofed packet.
> Hmm.. if I *know* that my customer has a single-homed /24, and I see a
> packet come in from his /24 that has a source address outside that /24,
> there's a *pretty* *good* chance that something squirrely is going on.
Right. However, it's also entirely possible that the traffic is legitimate.
Consider, for example, a sub-customer migrating between two ISPs each with
static IPs who currently has them both up.
The optimum approach is to investigate it, determine if it's legitimate or
not, and act appropriately. The lazy approach is to filter it and if it's
legitimate, wait for the customer to complain. The worst possible approach
is to ignore it (either filtering it or not) and hope that if it is a
serious problem, the customer will fix it themself.
The filtering advocates don't seem to particularly care whether the problem
is fixed or not. What they're missing is that filtering is simply a 'level
of service' issue. What's a security and community issue is that root
compromises and misconfigurations that threaten others be detected and
repaired. Filters can't do that.