[NCLUG] Egress Filtering
John L. Bass
jbass at dmsd.com
Tue Aug 7 16:36:37 MDT 2001
> > Might suggest they either filter for non-existant address blocks on
the
> > network, or cut the size of the subnets.
>
> Good suggestion... but think of Charter this way: Qworst, only run
entirely
> by marketing people.
Actually, it brings up a good point. I would not like my ISP doing a
lot of filtering, but why don't they at least do egress filtering?
Actually - the suggestion is to drop on the floor inbound packets for which
there is no subscriber - and avoid the looming arp broadcast storm. This is
not subscriber filterin.
Secondly, the problem of egress filtering for a large ISP is they typically
route many portable Class C's. Adding that CPU table lookup on routers isn't
cheap in terms of processor/memory bandwidth and adds to pass thru latency.
Okay, so all that dry stuff behind me, I guess the question is, why
doesn't @Home do this? Do you know Steve Gibson of the Gibson Research
Corporation? He's a PR-hound if I ever saw one... Although he has
moments of sharpness, he mostly seems to do the Geraldo-esque
Where this should be put is the cable modem and DSL boxes - not accept packets
outbound that do not match the subscribers subnet/IP.
It's not necessary to degrade the discussion with personal attacks. It's way
to easy to piss on someone else without any knowledge of the tradeoff's and
impacts - I suspect few could fit in the guys shoes for a month without getting
fired.
John
More information about the NCLUG
mailing list