nanog mailing list archives
Re: Who does source address validation? (was Re: what's that smel l?)
From: Hank Nussbacher <hank () att net il>
Date: Thu, 10 Oct 2002 15:11:35 +0300
At 10:43 PM 09-10-02 -0700, Steve Francis wrote:
Valdis.Kletnieks () vt edu wrote:That's not terribly hard to overcome - allow icmp unreachables (from any source) in your acl, then deny all traffic from RFC 1918 addresses, then the rest of the ACL.My personal pet peeve is the opposite - we'll try to use pMTU, some provider along the way sees fit to run it through a tunnel, so the MTU there is 1460 instead of 1500 - and the chuckleheads number the tunnel endpoints out of 1918 space - so the 'ICMP Frag Needed' gets tossed at our border routers, because we do both ingress and egress filtering.Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with all the functionality, and almost none of the bogus traffic.
CAR should not be used to rate-limit but instead use the MQC police commandwhich basically does the same thing. CAR is not going to be around much longer and is not being developed anymore:
Have a look at: http://www.cisco.com/warp/public/105/cbpcar.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmcli2.htm for more information. -Hank
Current thread:
- Re: Who does source address validation? (was Re: what's that smell?), (continued)
- Re: Who does source address validation? (was Re: what's that smell?) alex (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Sean Donelan (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Stephen J. Wilcox (Oct 09)
- Re: Broken PMTU (was: Who does source address validation? (was Re:what's that smell?)) Iljitsch van Beijnum (Oct 09)
- Re: Broken PMTU (was: Who does source address validation? (was Re:what's that smell?)) Valdis . Kletnieks (Oct 09)
- Re: Broken PMTU (was: Who does source address validation? (was Re:what's that smell?)) Stephen J. Wilcox (Oct 10)
- Re: Broken PMTU (was: Who does source address validation? (was Re:what's that smell?)) Tony Rall (Oct 10)
- Re: Who does source address validation? (was Re: what's that smell?) Valdis . Kletnieks (Oct 09)
- Re: Who does source address validation? (was Re: what's that smel l?) Steve Francis (Oct 09)
- Re: Who does source address validation? (was Re: what's that smel l?) Valdis . Kletnieks (Oct 09)
- Re: Who does source address validation? (was Re: what's that smel l?) Hank Nussbacher (Oct 10)
- Re: Who does source address validation? (was Re: what's that smell?) Richard A Steenbergen (Oct 10)
- Re: Who does source address validation? (was Re: what's that smell?) Iljitsch van Beijnum (Oct 10)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 10)
- Re: Who does source address validation? (was Re: what's that smell?) Iljitsch van Beijnum (Oct 12)