Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: private ip addresses from ISP

  • From: Richard A Steenbergen
  • Date: Tue May 23 13:15:28 2006

On Tue, May 23, 2006 at 12:23:54PM -0400, Patrick W. Gilmore wrote:
> 
> I know it was late when you wrote that, RAS, but from the  
> _very_first_sentence_:

Er yeah I meant to say it says nothing about filtering 1918 packets. 

> Please read BCP38 again.  (For the first time? :)

Clearly allowing anyone to inject large quantities of spoofed packets into 
the Internet is Bad (tm), no one is arguing that. First of all note that I 
was talking about how you deal with packets you receive, not packets you 
send. Hate to bust out the old "be conservative in what you send and 
liberal in what you receive" line, but in this case it is true. There are 
legitimate uses for RFC1918 sourced packets (as has been pointed out many 
times, for example, ICMP responses from people who want/need their routers 
to not source packets from publicly routed space).

Filtering every last 1918 sourced packet you receive because it might have 
a DoS is like filtering all ICMP because people can ping flood. If you 
want to rate limit it, that is reasonable. If you want to restrict it to 
ICMP responses only, that is also reasonable. If on the other hand you are 
determined to filter every 1918 sourced packets between AS boundries 
(including ttl exceed, mtu exceed, and dest unreachable) because an RFC 
told you you "should", you are actually doing your customers a disservice.

If you are an end-user network or don't transit other people's packets and 
you want to do yourself a disservice then by all means filter 1918 sourced 
packets until you are blue in the face. If on the other hand you do handle 
other people's packets, I would encourage you to fully consider the 
ramifications before you go out and apply those filters. This is why k00ks 
who can only cite RFC's instead of think for themselves and large networks 
tend to be a bad mix. :)

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.