North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: NSPs filter?
- From: David Schwartz
- Date: Thu Aug 08 20:59:46 2002
On Wed, 07 Aug 2002 18:07:37 -0700, Stephen Stuart wrote:
>>>Would you care to take a shot at answering my question, or is
>>>contributing productively too much to ask?
>>My employer believes against filtering on source or destination.
>Are you at liberty to share that reason for that? If you know that the
>source address is bogus (for whatever reason, RFC1918 source address
>is my favorite example), why not act on the fact that it is bogus? Is
>it economic - are you collecting revenue for that traffic? Do you
>believe that the router's performance or stability are adversely
>affected by restricting the traffic that you pass in any manner?
One thing that sometimes comes up is that people do number links using
RFC1918 address space which occasionally results in an ICMP 'fragmentation
needed but DF bit set' packet with an RFC1918 source address. Filtering out
this packet could result in TCP breaking.
Of course people shouldn't do that, but solutions of the form "make
everybody else fix it" aren't as useful as solutions of the form "you fix it
this particular way".
IMO, this is the only justification for not filtering RFC1918 and it's
marginal at best. Personally, if a packet doesn't identify where it's
actually from, I don't want it on my network.