Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: Steve Francis
  • Date: Thu Oct 10 01:44:38 2002

Valdis.Kletnieks@vt.edu wrote:

My personal pet peeve is the opposite - we'll try to use pMTU, some
provider
along the way sees fit to run it through a tunnel, so the MTU there is
1460
instead of 1500 - and the chuckleheads number the tunnel endpoints out
of
1918 space - so the 'ICMP Frag Needed' gets tossed at our border
routers,
because we do both ingress and egress filtering.
That's not terribly hard to overcome - allow icmp unreachables (from any source) in your acl, then deny all traffic from RFC 1918 addresses, then the rest of the ACL.

Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with all the functionality, and almost none of the bogus traffic.






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.