> It's no different than any other address space that gets advertised by
> multiple entities. Tier-1 providers should be filtering their ingress
> routes anyway, not that it should matter unless you're the destination.
> Sourced packets from any source address will reach you, the IANA reserved
> blocks shouldn't mean anything different than any other spoofed packet to
> a network.
My point exactly.
> You shouldn't leak such packets to the world. If you do, you should deal
> with the brokeness of your networks. That's true for any traffic that
> isn't part of your legal address space. It'd be a better world if
> everyone initiated oubound filtering on their border routers for packets
> not legitimately sourced (not that I'm holding my breath.) Outbound
> rules on a Cisco are still fast-switched (not sure if inbound packets are
> still process switched, but outbound definitely is fast switched.)
> If you're not filtering invalid sources at your border, then you're not
> doing a very good job. If you're leaking packets from invalid addresses,
> you're doing a worse job. Address blocks are just that- attempting to
> assign some special value to a set of addresses leaked by you or someone
> else to a subset of the address range doesn't address the full problem,
> you shouldn't leak invalid packets, and you should be able to handle
> obvious spoof attempts- incomplete as it may be - as well as real spoof
> attempts on any exposed servers.
Ok, saying you "shouldn't do such things" is fine for conversation, but tell
this
to the near 50 Tier 1's (this number expands and contracts on almost a
weekly basis
depending on who's acquiring or striking deals with who). My point is that
the
Internet doesn't operate on what people say, it operates on what people do,
and
that you have to account for reasonable levels of chaos when dealing with
larger numbers
of individuals. The probability that people make routing mistakes is
high...the
probability that the mistake made is "routing private addressing to others"
is less, but significant,
and last.. the probability that two major providers do it at the same time
is even less,
but still there. As far as the ACL stuff goes, some folks implement it,
some don't.
> People have announced routes to the 1918 netblocks before. Broken load
> balancing and NAT equipment has leaked before, it'll happen again, but it
> shouldn't be a big deal on a well-run network. If you don't trust the
> equipment, switch to proxy servers, you're not going to leak then.
and is the full impact of this visible?
has other equipment received packets which weren't destined to it?
Matt
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
