Furthermore, whether the RFC [1918] says so or not, I'm going to block these packets at *my* border routers, because:
Curious as to the cost (added latency) in doing RFC 1918 source address filtering on all packets in the context of cost-benfit analysis.
The cost is dependent on the quality of the filtering implementation of your routers. It's quite possible to implement source address filtering as a part of ASIC-assisted routing, resulting in wire-speed filtering. Whether any given vendor has or has not implemented their equipment to allow wire speed filtering is something you might want to ask salesmen.
As it's something which network providers should be doing, its a capability that should be demanded of the hardware vendors.
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
Well, that will eventually get somebody into trouble. Long ago & far away, Dave Mills greated a list of "forbidden" network prefixes in the fuzzball routers. The Martian list consisted of the "zero & all-ones" /24 networks at the edges of the old classfull boundaries. Many router vendors hardcoded those as well. Ate my lunch a few years ago w/ ciscos. It seems to be fixed (again) in the latest 12.0 codebase. Tossing six /24s is one thing. Tossing twohundred seventy /16s is something else again... --bill