At 11:51 AM 10/8/02 -0700, John M. Brown wrote:
We in the technical community need to develop or modify our tools to make those tasks easier.
So right. I don't know what the fuss is all about. Not that our little ISP matters in the grand scheme of things... but we've always blocked RFC1918 sources the old fashioned way, even though it appears to be less than .05% (by packet) of our border traffic: (outgoing) Extended IP access list 101 deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any (110170 matches) deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any (130473 matches) permit ip any any (530422134 matches) We get just as much (.05%) RFC1918 coming _into_ our podunk network (that we also block). If that much is coming down my insignificant alley, I have no problem believing your 12-18% numbers at tier 1. Those packets are by definition junk or malicious junk packets. They have no business being on any pipe that is not a leaf enterprise. (incoming - abbreviated) Extended IP access list 100 deny ip 127.0.0.0 0.255.255.255 any (111 matches) deny ip 10.0.0.0 0.255.255.255 any (105016 matches) deny ip 172.16.0.0 0.15.255.255 any (27671 matches) deny ip 192.168.0.0 0.0.255.255 any (66627 matches) permit ip any any (475732704 matches) The big guys apparently have so much bandwidth to spare that these and other unverifiable, unrepliable packets don't matter to them. If DoS and other activity hurt them as much as it hurt folks like us, there would be fewer excuses and more solutions and implementations. ISPs bill customers for traffic on the edge. If you filter one hop from the edge (interior of the edge router - fewer interfaces that way too) or at your border, then you can have your cake (money from the customer) and eat it too (filter RFC1918). Of course you would then be charging customers for packets you don't pass. They'll never know, and I never met a bean counter that cared about such details anyway... if bean counters are making routing policies. ...Barb