RE: Exodus / Clue problems

["John A. Tamplin" <jat () traveller com>]

On Mon, 16 Nov 1998, John Fraizer wrote:

> Hell, for that matter, I block anything claiming to be from our networks as
> well.  There's no way they'll be originating from the outside unless it's
> spoofed.
>
> Nothing and I mean NOTHING claiming to be from any of them at your border
> is valid.

Actually, if you have a multihomed customer with your address space and 
their link to you goes down, you could legitimately receive traffic from
your address block across external links if they then access hosts on
your network via other connections.

However, allowing that opens your network up to be spoofed and so it is
commonly accepted practice to block internal address coming in over 
transit/peering links.  If someone wants to multihome, they really need to 
have their own address block to take full advantage of it anyway.

You have an anlogous problem if you filter inbound customer links, in that
if they are multihomed and have address space from another ISP, you have to
allow those addresses in your filters.  If they provide transit, you either
need to have everything downstream for them or just punt (perhaps only
blocking your address space that you didn't assign to them).

John A. Tamplin                                 Traveller Information Services
jat () Traveller COM                            2104 West Ferry Way
256/705-7007 - FAX 256/705-7100                 Huntsville, AL 35801