Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NSPs filter?

  • From: David Schwartz
  • Date: Thu Aug 08 20:59:46 2002

On Wed, 07 Aug 2002 18:07:37 -0700, Stephen Stuart wrote:

>>>Would you care to take a shot at answering my question, or is
>>>contributing productively too much to ask?

>>My employer believes against filtering on source or destination.

>Are you at liberty to share that reason for that? If you know that the
>source address is bogus (for whatever reason, RFC1918 source address
>is my favorite example), why not act on the fact that it is bogus? Is
>it economic - are you collecting revenue for that traffic? Do you
>believe that the router's performance or stability are adversely
>affected by restricting the traffic that you pass in any manner?

	One thing that sometimes comes up is that people do number links using 
RFC1918 address space which occasionally results in an ICMP 'fragmentation 
needed but DF bit set' packet with an RFC1918 source address. Filtering out 
this packet could result in TCP breaking.

	Of course people shouldn't do that, but solutions of the form "make 
everybody else fix it" aren't as useful as solutions of the form "you fix it 
this particular way".

	IMO, this is the only justification for not filtering RFC1918 and it's 
marginal at best. Personally, if a packet doesn't identify where it's 
actually from, I don't want it on my network.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.