On Mon, 17 Jul 2000, Eric A. Hall wrote:
When ISPs choose to mark their packets with Internet-illegal addresses, they are contributing to these problems. Sorry, but you're not supposed to be using these addresses anyway.
This is utterly stupid. You can use these addresses any way you see fit, you can source packets from them if you'd like, and they are as valid as any other address to use and be "on the internet". What you CAN'T do however, is expect that these packets can ever be replied to, or exchange or accept any kind of information on how to route this IP space outside of your network. Sure its probably not the best idea in the world to send out packets you can't expect a reply to, but its not prohibited for a reason, and its certainly not the end of the world you make it out to be. If you really want to filter RFC1918 sourced packets at your borders for whatever reason its your choice. Trust me I've probably seen a lot more DoS then most people in one way or another, and filtering 1918 space is in absolutily NO way any kind of magic bullet or even worth the processor time (if you're gonna spend the time filtering there are much better things out there). -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
"Richard A. Steenbergen" wrote:
On Mon, 17 Jul 2000, Eric A. Hall wrote:
When ISPs choose to mark their packets with Internet-illegal addresses, they are contributing to these problems. Sorry, but you're not supposed to be using these addresses anyway.
This is utterly stupid. You can use these addresses any way you see fit, you can source packets from them if you'd like, and they are as valid as any other address to use and be "on the internet".
What's dumber? a) Filtering illegal packets from entering your network because they use your internal address range, because they are classed unroutable and should never appear on that interface, or both -or- b) Sending packets that you KNOW will be dropped or filtered by a good portion of their intended recipients. Let's try to do this without the name calling. Thanks. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Tue, 18 Jul 2000 19:22:44 EDT, "Richard A. Steenbergen" said:
DoS then most people in one way or another, and filtering 1918 space is in absolutily NO way any kind of magic bullet or even worth the processor time (if you're gonna spend the time filtering there are much better things out there).
OK.. I'll bite - what's in YOUR favorite list of things to filter? ;) Or more correctly, what's in your list for: a) connectivy providers (who mostly have just transit packets between customers) b) endpoint sites - we may have 2 /16's and a lot of OC3/12 links, but our 2 /16s shouldn't be transiting anything (as opposed to the routing swamp just outside our border router). Valdis Kletnieks Operating Systems Analyst Virginia Tech
participants (3)
-
Eric A. Hall -
Richard A. Steenbergen -
Valdis.Kletnieks@vt.edu