[nsp] 192.168.x.y from upstream
Gert Doering
gert at greenie.muc.de
Mon Mar 10 22:43:59 EST 2003
Hi,
On Mon, Mar 10, 2003 at 06:50:46PM +0100, Daniel Roesen wrote:
> On Mon, Mar 10, 2003 at 01:56:09PM +0100, Gert Doering wrote:
> > Because many ISPs are lazy and do not properly filter packets before
> > the packets leave their networks.
> Lazyness is not the only reason. It's also a matter of scale.
Nah. Blaiming scaling issues to not filtering customers is just another
form of laziness. Especially if you're big, products have to be
standardized anyway -> all customer interfaces with static routing get
unicast RPF, all multihomed customers get source ACLs, period.
> > Proper network management consist of (relating to RFC1918 only):
> >
> > - don't use RFC 1918 addresses for the ISP backbone networks
> > (because traceroute and other ICMP responses might end up being
> > sent with those addresses, which violates RFC 1918)
> >
> > - filter your customer access lines so that customers can only generate
> > packets with source IPs that belong to them ("anti-spoofing"), see
> > also RFC 2827 "Network Ingress Filtering".
>
> None of these two prevent a downstream customer of yours to receive
> traffic with RFC1918 source addresses.
This is true, but there is no way to do that (prevent packets with an
RFC 1918 source IP) without breaking traceroute and/or PMTUd for those
packets traveling through lazy provider's networks.
So you have to solve the problem at the root.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the cisco-nsp
mailing list