On Mon, 16 Nov 1998, John Fraizer wrote:
Hell, for that matter, I block anything claiming to be from our networks as well. There's no way they'll be originating from the outside unless it's spoofed.
Nothing and I mean NOTHING claiming to be from any of them at your border is valid.
Actually, if you have a multihomed customer with your address space and their link to you goes down, you could legitimately receive traffic from your address block across external links if they then access hosts on your network via other connections. However, allowing that opens your network up to be spoofed and so it is commonly accepted practice to block internal address coming in over transit/peering links. If someone wants to multihome, they really need to have their own address block to take full advantage of it anyway. You have an anlogous problem if you filter inbound customer links, in that if they are multihomed and have address space from another ISP, you have to allow those addresses in your filters. If they provide transit, you either need to have everything downstream for them or just punt (perhaps only blocking your address space that you didn't assign to them). John A. Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 256/705-7007 - FAX 256/705-7100 Huntsville, AL 35801