Re: Tying a session to an IP address

[exon <exon () home se>]

Toni Heinonen wrote:
> > You're assuming that routers care about a packets origin.
>
>
> That's not a far-fetched assumption. Of course, your perimeter router (or perhaps 
> firewall) is supposed to filter all traffic clearly not from the internet (127/8, 
> 224, APIA, RFC1918 and of course your own addresses) 

But if you wouldn't want it a public service you might as well block 
incoming traffic on the port anyways, so this doesn't apply.

> and it isn't far-fetched to 
> think ISPs do filtering on their clients' outbound traffic. My ISP does this, I 
> can't spoof my address.
I still haven't found one that does. And the belligerent sort that 
resort to spoofing often have access to a host or two on some 
godforsaken remote location that not even virii care about and where 
IP-tracking is a novelty.


> Also, the ISP's routers at different connection points across the Internet can 
> do reverse filtering based on their routing information (if a packet says it's 
> coming from 193.65.76 and that network is by routing information only behind 
> another interface, it's discarded). I've heard of ISPs that do this too.

See statement above regarding perimeter-routers. As for the backbone 
routers, this is simply ludicrous. There would be no end to the 
computing power required to sift out traffic on a scale of 10Gbit/sec. 
In Sweden, those routers run on a minimum of 60% bandwidth usage more or 
less nonstop. That's 750000000 octets every second, in case you were 
wondering.

/exon