[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing features



On Tuesday 14 October 2003 11:36, Jeroen Massar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Juan Rodriguez Hervella wrote:
>
> <SNIP>
>
> > > > Do you know what are the problems that *root zone operators* are
> > > > experiencing with RFC 1918 addresses ? It would be very interesting
> > > > if you could explain (to me) some of these issues... I don't see why
> > > > this kind of addresses could be a problem, as long as they
> > > > don't use them....
> > >
> > > You might want to read http://www.as112.net/
>
> <SNIP>
>
> > I would have to read it again, but I think that ICMP error
> > messages are sent with the source address of the output interface, so IMO
> > it would be able to come back.
>
> $stupiddevice --> non-filtering-ISP --> Transit --> Nameserver
>  192.168.0.1                                         x.x.x.x
>
> To which IP should the Nameserver, or for that matter anything
> filtering in between send the traffic? In the DFZ there is no
> route to 192.168.0.0/16, if there was is it is a still a bogon.
> AS112 concentrates on bogus queries from valid IP's though as
> the rootservers get queries for things like: 1.0.168.192.in-addr.arpa. PTR.
>
> Mind you if the ISP doesn't even filter RFC1918 space they are not
> filtering based on source address also. Thus that complete ISP is
> a perfect source for..... spoofed ddos'ses, now track those ;)
>
> ISP's should filter *any* source addresses that are not delegated
> to their clients, doing this more at the edge where the client
> connects to their network is a good thing. They should for
> stupidity's sake also only forward traffic that they know the
> destination is only at that client. Yes this breaks 'multihoming',
> but is that real multihoming? Not per my definition at least.
> uRPF etc come to mind also ofcourse.
>
> Greets,
>  Jeroen
>
> -----BEGIN PGP SIGNATURE-----
> Version: Unfix PGP for Outlook Alpha 13 Int.
> Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/
>
> iQA/AwUBP4vDpymqKFIzPnwjEQJ4+gCfav+ZRDKVvC75m21Y9ZUF+1YACbkAoJUI
> o7gclmYD8G7tWbqJ3n5mkm6O
> =gg+6
> -----END PGP SIGNATURE-----

I agree with you Jeroen,  I misunderstood the following phrase:

> And that is only queries, you don't want to know how many RFC1918
> sourced addresses they are dropping, can't send an icmp back now can you :)

I was thinking that you were talking about packets with 
"src=global dest=private", and I just wanted to note that ICMP error
packets are sent with "src=<output_iface>, dest=global".

I see private addressing is a really bad idea, and I quite agree with
http://www.ietf.org/internet-drafts/draft-ietf-ipv6-deprecate-site-local-01.txt

See you and thanks again !


-- 
JFRH

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------