28 Jan
2014
28 Jan
'14
4:39 p.m.
Jarad is correct. There is lack of BCP38 filtering in the CPE ASN. Either the packet has gone "probe" -> CPE ->(*) recursive server -> "probe" or "probe" -> CPE -> recursive server -> CPE ->(*) "probe" (*) indicates the packet that should have been blocked depending apon how the NAT worked. In either case the CPE ASN had failed to check the source address of a packet. In the first case the source address of the query to the recursive server. In the second case the source address of the reply back to the probe after it had been through the NAT process. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org