On Sun, 15 Aug 2010 18:14:41 +0200, Florian Weimer said:
What's the current consensus on exempting private network space from source address validation? Is it recommended? Discouraged?
What you do on your internal networks and internal transit is your business. BCP38 talks about where you connect to the rest of the world. RFC 1918 is specific that you're supposed to get all medieval on any escaping packets: It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise.
(One argument in favor of exceptions is that it makes PMTUD work if transfer networks use private address space.)
And that connection that's trying to use PMTU got established across the commodity internet, how, exactly? ;) That implies you let some routing info escape and got one of those "ambiguous routing situations".