North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Who does source address validation? (was Re: what's that smell?)
- From: Steve Francis
- Date: Thu Oct 10 01:44:38 2002
That's not terribly hard to overcome - allow icmp unreachables (from any
source) in your acl, then deny all traffic from RFC 1918 addresses,
then the rest of the ACL.
My personal pet peeve is the opposite - we'll try to use pMTU, some
along the way sees fit to run it through a tunnel, so the MTU there is
instead of 1500 - and the chuckleheads number the tunnel endpoints out
1918 space - so the 'ICMP Frag Needed' gets tossed at our border
because we do both ingress and egress filtering.
Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up
with all the functionality, and almost none of the bogus traffic.