[c-nsp] IP Options Drop

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 22 01:51:52 EDT 2014


Sure but eventually you run out of transit links and reach edge/host networks ;o)

Address "plans" in enterprise networks tend to contain decades of legacy that make aggregating the router IP addresses infeasible. They're usually firewalled of course but that doesn't help you if something inside the firewall scans your entire /16.

This is why so many people rely on CPP I'd wager. Sticking a (different) 2517 ACE ACL on every edge interface is not something I'd feel entirely safe about...

Fwiw all our transit nets internally and onwards to other customers are indeed numbered from dedicated blocks. We have a few miscreant customers who nat to that address and whose practice predates anything we might refer to as internet security ("but we use that IP to talk to a space probe launched in 1986!”) but those blocks are in the main unreachable.
-- 
Sent from my phone with, please excuse brevity and typos


More information about the cisco-nsp mailing list