On Tuesday 14 October 2003 11:36, Jeroen Massar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Juan Rodriguez Hervella wrote: > > <SNIP> > > > > > Do you know what are the problems that *root zone operators* are > > > > experiencing with RFC 1918 addresses ? It would be very interesting > > > > if you could explain (to me) some of these issues... I don't see why > > > > this kind of addresses could be a problem, as long as they > > > > don't use them.... > > > > > > You might want to read http://www.as112.net/ > > <SNIP> > > > I would have to read it again, but I think that ICMP error > > messages are sent with the source address of the output interface, so IMO > > it would be able to come back. > > $stupiddevice --> non-filtering-ISP --> Transit --> Nameserver > 192.168.0.1 x.x.x.x > > To which IP should the Nameserver, or for that matter anything > filtering in between send the traffic? In the DFZ there is no > route to 192.168.0.0/16, if there was is it is a still a bogon. > AS112 concentrates on bogus queries from valid IP's though as > the rootservers get queries for things like: 1.0.168.192.in-addr.arpa. PTR. > > Mind you if the ISP doesn't even filter RFC1918 space they are not > filtering based on source address also. Thus that complete ISP is > a perfect source for..... spoofed ddos'ses, now track those ;) > > ISP's should filter *any* source addresses that are not delegated > to their clients, doing this more at the edge where the client > connects to their network is a good thing. They should for > stupidity's sake also only forward traffic that they know the > destination is only at that client. Yes this breaks 'multihoming', > but is that real multihoming? Not per my definition at least. > uRPF etc come to mind also ofcourse. > > Greets, > Jeroen > > -----BEGIN PGP SIGNATURE----- > Version: Unfix PGP for Outlook Alpha 13 Int. > Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/ > > iQA/AwUBP4vDpymqKFIzPnwjEQJ4+gCfav+ZRDKVvC75m21Y9ZUF+1YACbkAoJUI > o7gclmYD8G7tWbqJ3n5mkm6O > =gg+6 > -----END PGP SIGNATURE-----
I agree with you Jeroen, I misunderstood the following phrase: > And that is only queries, you don't want to know how many RFC1918 > sourced addresses they are dropping, can't send an icmp back now can you :) I was thinking that you were talking about packets with "src=global dest=private", and I just wanted to note that ICMP error packets are sent with "src=<output_iface>, dest=global". I see private addressing is a really bad idea, and I quite agree with http://www.ietf.org/internet-drafts/draft-ietf-ipv6-deprecate-site-local-01.txt See you and thanks again ! -- JFRH -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
