[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing features

On Tuesday 14 October 2003 11:36, Jeroen Massar wrote:
> Juan Rodriguez Hervella wrote:
> <SNIP>
> > > > Do you know what are the problems that *root zone operators* are
> > > > experiencing with RFC 1918 addresses ? It would be very interesting
> > > > if you could explain (to me) some of these issues... I don't see why
> > > > this kind of addresses could be a problem, as long as they
> > > > don't use them....
> > >
> > > You might want to read http://www.as112.net/
> <SNIP>
> > I would have to read it again, but I think that ICMP error
> > messages are sent with the source address of the output interface, so IMO
> > it would be able to come back.
> $stupiddevice --> non-filtering-ISP --> Transit --> Nameserver
>                                         x.x.x.x
> To which IP should the Nameserver, or for that matter anything
> filtering in between send the traffic? In the DFZ there is no
> route to, if there was is it is a still a bogon.
> AS112 concentrates on bogus queries from valid IP's though as
> the rootservers get queries for things like: PTR.
> Mind you if the ISP doesn't even filter RFC1918 space they are not
> filtering based on source address also. Thus that complete ISP is
> a perfect source for..... spoofed ddos'ses, now track those ;)
> ISP's should filter *any* source addresses that are not delegated
> to their clients, doing this more at the edge where the client
> connects to their network is a good thing. They should for
> stupidity's sake also only forward traffic that they know the
> destination is only at that client. Yes this breaks 'multihoming',
> but is that real multihoming? Not per my definition at least.
> uRPF etc come to mind also ofcourse.
> Greets,
>  Jeroen
> Version: Unfix PGP for Outlook Alpha 13 Int.
> Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/
> iQA/AwUBP4vDpymqKFIzPnwjEQJ4+gCfav+ZRDKVvC75m21Y9ZUF+1YACbkAoJUI
> o7gclmYD8G7tWbqJ3n5mkm6O
> =gg+6

I agree with you Jeroen,  I misunderstood the following phrase:

> And that is only queries, you don't want to know how many RFC1918
> sourced addresses they are dropping, can't send an icmp back now can you :)

I was thinking that you were talking about packets with 
"src=global dest=private", and I just wanted to note that ICMP error
packets are sent with "src=<output_iface>, dest=global".

I see private addressing is a really bad idea, and I quite agree with

See you and thanks again !


IETF IPv6 working group mailing list
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6