Re: [arin-announce] IPv4 Address Space (fwd)

[Alex Yuriev <alex () yuriev com>]

> I think the other point that may be escaping some people,
> is that as more and more connections take on this VPN-like
> quality, as network operators we lose any visibility into
> the validity of the traffic itself.  

As the network operators, we move bits and that is what we should stick to
moving. 

We do not look into packets and see "oh look, this to me looks like an evil
application traffic", and we should not do that. It should not be the goal
of IS to enforce the policy for the traffic that passes through it. That
type of enforcement should be left to ES.

> Imagine how much more painful SQL Slammer would have been, if all the
> traffic was encapsulated in port 80 between sites, and only hit port 1434
> locally?

How do you know which traffic is good and which traffic is evil?

> At least today, we can decide that 92 byte ICMP echo-request
> packets are invalid, and drop them; or that for the most part,
> packets destined to port 1434 should be discarded as quickly
> as possible.

How does you IS know that a _particular_ ES uses port 1434 for?


Alex