RE: rfc 1918 (why filtering is a good idea for non-transit organi zations)
It is my intention to avoid having 1918 addresses leaving my network.
At our egress points the filters are fairly short -- they allow only
Actually, if memory serves me correctly (for once), there was a situation several years ago where a transit provider ran out of bandwidth and started shunting traffic through a (better-connected) customer's network. If filtering had been operating properly at that time (if there had been enough CPU muscle in the routers) as specified below, then this could NOT have happened -- the customer's network would have recognized the destination IP as not being within its address range, and filtered it on ingress. (Or, it could have checked the source IP, and if it wasn't in its address range, filtered it on egress. My personal opinion is that both are necessary and desirable, for different reasons.) -Mat Butler -----Original Message----- From: Stephen J. Wilcox [mailto:steve@opaltelecom.co.uk] Sent: Friday, February 23, 2001 2:19 AM To: Mark Radabaugh Cc: North America Network Operators Group Mailing List Subject: RE: rfc 1918? This only can apply to small networks, specifically stub networks, if you're carrying transit or have multiple connections out you'll find filters which only allow your own ips in and out start dropping a whole lot else! But i think you have the right idea, filters should be applied at the provider edge to such stub networks and then no nasty ips will get through to the provider network and hence the internet. Oh, and I dont think I showed my opinion on my last mail, i think use of 1918 on p2p is wrong! But.. as so many large networks do it you cant just filter it out and assume everything will work. Steve On Thu, 22 Feb 2001, Mark Radabaugh wrote: traffic
with our IP source addresses to leave. This was my interpretation of the RFC's. Some in this discussion seem to be saying that we should also filter for RFC1918 destinations. Am I reading this correctly?
I can see that packets destined for RFC1918 addresses will leave our network (due to default routes) but are promptly dropped at the first BGP speaking router they encounter. Is it worth the extra router processing time to check all outgoing packet destinations as well? I can't see where this extra filtering is worth the trouble.
Mark Radabaugh VP, Amplex (419)833-3635 mark@amplex.net
participants (1)
-
Mathew Butler