Ouch!
Care to name the offending party, so those of us who have a choice
can avoid it?
David Gillett
On 11 Jun 2001, at 10:05, Crispin Harris wrote:
> One thing about egress filtering which I noted recently.
>
> If the leaf node is using VPN software, you may be in for a surprise!
>
> At least one major vendor of VPN client software performs the Virtual
> functions by re-writing the source address of the packet:
>
> Mobile PC: -A-
> VPN Gateway: -B-
> Protected Server: -C-
>
> Communicating from -A- to -C- via -B-:
> On A:
> Packet 1:
> SRC: A
> DST: B
>
> Packet 2:
> SRC: -C-
> DST: B
>
> This product rewrites the packet so that the gateway sees an incomming
> packet with the final destination as the source!
> (Not very nice eh?)
>
> Regards,
> Crispin Harris
>
> > -----Original Message-----
> > From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, 10 June 2001 11:59 PM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: This is a must read document. It will freak you out
> >
> >
> > On Sun, 10 Jun 2001 [EMAIL PROTECTED] wrote:
> >
> > > Egress filtering at border points is appropriate for leaf
> > networks.
> >
> > Which is exactly what I'm proposing.
> >
> > > Many ISPs, though, also ferry third-party traffic between their
> > > peering points; it would be inappropriate for them to
> > accept traffic
> > > that an egress rule elsewhere will prevent them from delivering.
> >
> > Egress rules don't prevent anything from being delivered if
> > the egress is
> > legitimate.
> >
> > > This isn't to day that it can't or shouldn't be done, only that
> > > determining how much filtering should be done, and at which
> > routers,
> > > may be less simple for multi-homed ISPs than it sounds.
> >
> > Once again, I'm stressing that end-user network filtering be the
> > major point of egress filtering, not ISP networks.
> >
> > ISPs can do fairly easy filtering based on prefixes they transit or
> > announce, but I agree with the contention that the
> > aggragation of traffic
> > is too much at those points to not affect performance by
> > filtering in the
> > transit space. ISP's hosting networks should, of course employ egress
> > filtering, but in that case, they're acting as a leaf node,
> > not a transit
> > entity.
> >
> > Paul
> > --------------------------------------------------------------
> > ---------------
> > Paul D. Robertson "My statements in this message are
> > personal opinions
> > [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
