[c-nsp] dropping traffic for RFC3330 networks
lee.e.rian at census.gov
lee.e.rian at census.gov
Tue Aug 29 11:47:04 EDT 2006
Does any ISP filter out bogus addresses? None of ours do :-(
Here's a snippet from the input access list on one of our Internet routers:
deny ip 10.0.0.0 0.255.255.255 any (329629 matches)
deny ip 127.0.0.0 0.255.255.255 any (181 matches)
deny ip 169.254.0.0 0.0.255.255 any (213 matches)
deny ip 172.16.0.0 0.15.255.255 any (29701 matches)
deny ip 192.168.0.0 0.0.255.255 any (33268 matches)
> Traffic 'sourced' from or 'destined' to 3330 on your edge ingress should
> probably result in a conversation with your upstream :-)
It has. Didn't do any good though, they still don't filter out the obvious
garbage.
If anyone has some suggestions on how to convince them that filtering out
the garbage really would be a Good Thing to do, I'd love to hear them.
Lee
Jeff Kell <jeff-kell at utc.edu> wrote on 08/29/2006 08:12:56 AM:
> lee.e.rian at census.gov wrote:
> > Dan Armstrong <dan at beanfield.com> wrote on 08/28/2006 09:57:02 PM:
> >
> >
> >> On a related note to this..... what are people's opinions about null
> >> routing vs. ACLing bogons?
> >>
> >
> > I always thought null routing was better. ACLs may or may not be
applied
> > in the fast path and they generate ICMP unreachables
> Null routing is the most efficient and scaleable way to obliterate
> traffic, but it has two downsides:
>
> * It 'terminates with extreme prejudice' leaving no trail, (does it have
> a characteristic netflow?)
> * It only drops traffic based on destination address (by itself)
>
> If the hardware supports uRPF then null routing will also drop based on
> source address.
>
> The big questions are 'do you care?' about this traffic, and 'what use
> is that knowledge?'.
>
> Traffic 'sourced' from or 'destined' to 3330 on your edge ingress should
> probably result in a conversation with your upstream :-) ACLs would
> reveal the addresses in question for troubleshooting, but having a 3330
> source doesn't help much of anything.
>
> Traffic to/from 3330 on your edge egress means you have a problem
> internally. ACLs will help identify the traffic, but you really want to
> move this sort of filtering closer to your access layers where you can
> do ACLs with log-input to hopefully yield a better clue where it's
> coming from. By the time you reach the edge, source filtering is too
> late to be useful for troubleshooting.
>
> Jeff
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list