North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Bogon list
- From: Stephen J. Wilcox
- Date: Sat Jun 08 16:58:25 2002
Indeed, you should filter ingress packets with your own addresses for
security and as you say using non globally unique addresses will therefore
cause it to break pMTU.
On Fri, 7 Jun 2002, Greg A. Woods wrote:
> [ On Friday, June 7, 2002 at 10:26:53 (+0100), Stephen J. Wilcox wrote: ]
> > Subject: Re: Bogon list
> > RFC1918 does not break path-mtu, filtering it does tho..
> So, in other words inappropriate use of RFC 1918 does not break Path MTU
> Discovery! You can't still have your cake and have eaten it too. One
> way or another RFC 1918 addresses must not be let past the enterprise
> boundaries. Lazy and/or ignorant people don't always meet all the
> requirements of RFC 1918, but it's only their lack of compliance that
> _may_ allow Path-MTU-discovery to continue working for their networks
> for _some_ people _some_ of the time.
> However any enterprise also using RFC 1918, but using it correctly (or
> customers of such an enterprise), and thus who are also carefully
> protecting their use from interference by outside parties, will be
> filtering inbound packets with source addresses in the RFC 1918 assigned
> networks, and so as a result they _will_ experience Path-MTU-discovery
> failure (i.e. at any time it's necessary it literally cannot work) when
> attempting to contact (and sometimes be contacted by, depending on the
> application protocol in use) any host on or behind the lazy and/or
> ignorant operator's network(s).
> (and no, I'm not sorry if I've yet again offended anyone who might be
> mis-using RFC 1918 addresses for public nodes -- you should all know
> better by now! How many _years_ has it been?)
> > > 2) Not believe in filtering RFC1918 sourced traffic at enterprise boundaries
> > > (of which an exchange would be a boundary)
> > What for? You'll find many more much more mailicious packets coming from
> > legit routable address space.
> If you have any IP address level trust relationsips on your internal
> LANs then you _MUST_ (if you want those trust relationships to be valid)
> filter all foreign packets with source addresses appearing to be part of
> your internal LANs.
> > For p2p you can use unnumbered.. it wont work on exchanges but i agree
> > they shouldnt be rfc1918.
> On this we can agree! :-)