On Mon, Mar 26, 2001 at 12:40:45PM -0800, David Schwartz wrote:
As for outbound packets, why do they need to take the reverse path? There's no reason the tunnel can't be unidirectional. Even if the ISP is stupid and filters its customers' legitimate traffic, forcing them to encapsulate the outbound packets, the same argument still applies.
Ummm, s/if the ISP is stupid/if the ISP is doing the right thing/
You do filter what source addresses your customers can use, don't you?
No, I don't. If I see illegitimate traffic, I block it. If I see suspicious traffic, I investigate it. But I give my customers the benefit of the doubt. They pay me for Internet access. That means they can do whatever they want with the Internet provided it's legal and doesn't impose an undue burden on anyone else using the Internet. A one-way VPN is a legitimate use and shouldn't be subject to prior restraint. On the other hand, if I saw a customer abusing this privilege, I would definitely *NOT* respond with a filter (except maybe as a stopgap until I could contact the relvant administrators). The fact is, silently covering over a problem doesn't help anyone. In specific, it doesn't help my customer find the problem, which is most likely a root compromise on one of their machines. It is, IMO, stupid to hide a serious problem with a filter. That won't make the problem go away. In this instance, the problem is a compromised machine, a misconfiguration, or a customer who is trying to launch network attacks. I'm sure we've all heard stories of major network disruptions being caused by this type of filtering policy. ISP1 filters routes it hears from CUSTOMER1. So the fact the CUSTOMER1's filters are broken is never noticed. Then one day, ISP1 accidentally breaks its filters. Boom! Filtering should be a last resort if there is no other way to accomplish the desired goal or where small misconfigurations on the other end have the ability to cause massive damage in a very small amount of time. Filtering should _never_ be used to hide a real problem unless there is absolutely no other option. In this case, there are *many* other options. DS