nanog mailing list archives
Re: ingress filtering and multiple Internet conenctions
From: Owen DeLong <owen () delong com>
Date: Sun, 25 Oct 2009 20:51:13 -0700
On Oct 25, 2009, at 4:05 PM, Joe Maimon wrote:
This includes the ability to turn OFF stateful inspection in all cases if desired, and, full ability toJoe Greco wrote:There's a problem: I can validly emit a variety of other addresses, in particular any address in 206.55.64.0/20 and some other networks. I am not "forging" packets if I emit 206.55.64.0/20-sourced addresses down aComcast pipe. How many people realistically have this problem? Well, potentially,lots. Anyone who uses a VPN could have a legitimate IP address on theirmachine; because of BCP38 (and other security policy) it is common for a VPN setup to forward Internet-bound traffic back to the VPNserver rather than directly out the Internet. In some cases, one couldreasonably argue that this is undesirable.I would like to take the opportunity to urge vendors of routers and firewalls to take extra special care and attention to make sure that The Right Thing can always happen whenever multiple egress services are employed.This means that policy routing for network AND ALL locally generated traffic should be available and work as the operator intends it to.
support asymmetrical (or Triangle) routing in cases where it is desired. Also, not breaking PMTU-D would be good.
Right now things still suck pretty hard, depending on what you are using.
Indeed. Owen
Attachment:
smime.p7s
Description:
Current thread:
- Re: ISP port blocking practice, (continued)
- Re: ISP port blocking practice James R. Cutler (Oct 23)
- Re: ISP port blocking practice Patrick W. Gilmore (Oct 23)
- Re: ISP port blocking practice Owen DeLong (Oct 23)
- Re: ISP port blocking practice Joe Greco (Oct 24)
- Re: ISP port blocking practice Owen DeLong (Oct 24)
- Re: ISP port blocking practice Joe Greco (Oct 24)
- Re: ingress filtering and multiple Internet conenctions Joe Maimon (Oct 25)
- Re: ingress filtering and multiple Internet conenctions Joe Greco (Oct 25)
- Re: ingress filtering and multiple Internet conenctions Joe Maimon (Oct 25)
- Re: ingress filtering and multiple Internet conenctions Owen DeLong (Oct 25)
- Re: ingress filtering and multiple Internet conenctions Owen DeLong (Oct 25)
- Re: ISP port blocking practice Joe Provo (Oct 26)
- Re: ISP port blocking practice Joe Provo (Oct 25)
- Re: ISP port blocking practice Steve Bertrand (Oct 22)
- Re: ISP port blocking practice Jon Kibler (Oct 23)
- Re: ISP port blocking practice Steve Bertrand (Oct 23)
- RE: ISP port blocking practice Keith Medcalf (Oct 24)