On Wed, 07 Aug 2002 18:07:37 -0700, Stephen Stuart wrote:
Would you care to take a shot at answering my question, or is contributing productively too much to ask?
My employer believes against filtering on source or destination.
Are you at liberty to share that reason for that? If you know that the source address is bogus (for whatever reason, RFC1918 source address is my favorite example), why not act on the fact that it is bogus? Is it economic - are you collecting revenue for that traffic? Do you believe that the router's performance or stability are adversely affected by restricting the traffic that you pass in any manner?
Stephen
One thing that sometimes comes up is that people do number links using RFC1918 address space which occasionally results in an ICMP 'fragmentation needed but DF bit set' packet with an RFC1918 source address. Filtering out this packet could result in TCP breaking. Of course people shouldn't do that, but solutions of the form "make everybody else fix it" aren't as useful as solutions of the form "you fix it this particular way". IMO, this is the only justification for not filtering RFC1918 and it's marginal at best. Personally, if a packet doesn't identify where it's actually from, I don't want it on my network. DS