[nsp] 192.168.x.y from upstream
Rivo Tahina RAZAFINDRATSIFA
r.tahina at dts.mg
Mon Mar 10 17:20:52 EST 2003
Thank you!
A 13:02 10/03/03 +0000, vous avez écrit :
>
>On Mon, 10 Mar 2003, Gert Doering wrote:
>
>> On Mon, Mar 10, 2003 at 02:42:01PM +0300, Rivo Tahina RAZAFINDRATSIFA
wrote:
>> > Why do I receive something from private IP address such as 192.168.
from my
>> > upstream?
>>
>> Because many ISPs are lazy and do not properly filter packets before
>> the packets leave their networks.
>
>Indeed, altho at one time this setup was encouraged when we thought IP
space was
>scarce!
>
>But do NOT ever filter this on your core network or you will break things
that
>the RFC1918 sourced packets may be carrying - most significantly pMTU
conveyed
>with ICMP.
>
>The most prominent site I was aware of using RFC1918 internally that
breaks if
>you filter RFC1918 ingress and then use <1500 MTU was bt.com (amongst
others).
>The problem being a lot of companies use private addresses behind
firewalls and
>do not include them in dynamic NAT configs etc falsely assuming these
systems
>will never send packets to the Internet.
>
>> Proper network management consist of (relating to RFC1918 only):
>>
>> - don't use RFC 1918 addresses for the ISP backbone networks
>> (because traceroute and other ICMP responses might end up being
>> sent with those addresses, which violates RFC 1918)
>
>Absolutely, this is a violation of RFC1918..
>
>> - filter your customer access lines so that customers can only generate
>> packets with source IPs that belong to them ("anti-spoofing"), see
>> also RFC 2827 "Network Ingress Filtering".
>
>Good anti-DDoS measure this..
>
>Steve
>
>>
>> gert
>>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list