[nsp] 192.168.x.y from upstream

Gert Doering gert at greenie.muc.de
Mon Mar 10 22:43:59 EST 2003


On Mon, Mar 10, 2003 at 06:50:46PM +0100, Daniel Roesen wrote:
> On Mon, Mar 10, 2003 at 01:56:09PM +0100, Gert Doering wrote:
> > Because many ISPs are lazy and do not properly filter packets before
> > the packets leave their networks.
> Lazyness is not the only reason. It's also a matter of scale.

Nah.  Blaiming scaling issues to not filtering customers is just another
form of laziness.  Especially if you're big, products have to be
standardized anyway -> all customer interfaces with static routing get
unicast RPF, all multihomed customers get source ACLs, period.

> > Proper network management consist of (relating to RFC1918 only):
> > 
> >  - don't use RFC 1918 addresses for the ISP backbone networks
> >    (because traceroute and other ICMP responses might end up being
> >    sent with those addresses, which violates RFC 1918)
> > 
> >  - filter your customer access lines so that customers can only generate
> >    packets with source IPs that belong to them ("anti-spoofing"), see
> >    also RFC 2827 "Network Ingress Filtering".
> None of these two prevent a downstream customer of yours to receive
> traffic with RFC1918 source addresses.

This is true, but there is no way to do that (prevent packets with an
RFC 1918 source IP) without breaking traceroute and/or PMTUd for those
packets traveling through lazy provider's networks.

So you have to solve the problem at the root.


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de

More information about the cisco-nsp mailing list