nanog mailing list archives
Re: do bogon filters still help?
From: Kevin Loch <kloch () hotnic net>
Date: Thu, 12 Jan 2006 10:58:15 -0500
Florian Weimer wrote:
* Pim van Pelt:Hi, here's a member of 'the folks at bit.nl'. Just a quick note to say that we have been sourcing IPv4 packets from 192.88.99.1 at a rateof 2.000 to 10.000 packets per second since early 2003, so I'm guessing we have sent some 750.000 billion packets by now.And this is just so wrong. You should use an address you own as a source address. Otherwise, packets tend to get dropped by filters.
Wouldn't you expect to see packets return from the same address you send them to? ICMP and stateful firewalls work much better that way. Our 6to4 relay also soucres packets from 192.88.99.1, it seems to work best that way. Don't filter 192.88.99.1 in any direction unless you want to break 6to4. If you want to limit your exposure you could allow only proto 41 and icmp packets and not break it. If you have native IPv6 on your network you could run a local 6to4 relay for your customers and filter 192.88.99.0/24 to/from your peers. - Kevin
Current thread:
- Re: do bogon filters still help?, (continued)
- Re: do bogon filters still help? william(at)elan.net (Jan 11)
- Re: do bogon filters still help? william(at)elan.net (Jan 11)
- Re: do bogon filters still help? Florian Weimer (Jan 11)
- Re: do bogon filters still help? william(at)elan.net (Jan 11)
- Re: do bogon filters still help? Michael . Dillon (Jan 12)
- Re: do bogon filters still help? Pim van Pelt (Jan 11)
- Re: do bogon filters still help? Florian Weimer (Jan 11)
- Re: do bogon filters still help? Pim van Pelt (Jan 11)
- Re: do bogon filters still help? Daniel Roesen (Jan 11)
- Re: do bogon filters still help? Joseph S D Yao (Jan 12)
- Re: do bogon filters still help? Kevin Loch (Jan 12)
- Re: do bogon filters still help? Pekka Savola (Jan 12)
- Re: do bogon filters still help? Pekka Savola (Jan 11)