[NCLUG] Egress Filtering

John L. Bass jbass at dmsd.com
Fri Aug 10 23:22:50 MDT 2001


	>however, if everyone who isn't in this boat did filter, the world would be a
	>better place.

	Agreed.  I didn't say that people SHOULDN'T filter, I just was giving some
	explanations as to why they don't.  I think it's a very good idea.

The problem with starting to filter, is where to stop. It's kinda like mistaking
the Alantic, for a local pond. EVERYBODY has there favorite swamp to drain. Filtering
for forged headers is just the tip of the iceberg. I can think of several more reasons
to filter that probably would have a higher yield - and of boy, down the slippery slope
we go.

Kinda like the theory that it's just "one" filter rule for "Egress Filtering". Our little
coop only has about 50 member sites ... we also transport 3 private portable Class C's,
two more in FRII's address block our customers use, and two more in the 192.168. block
we use internally and sometimes NAT. So much for "only one", I would hate to manage the
dynamic mess of a "normal" ISP.

Even doing it at the edge routers is not without interesting problems when allowing static
IP assignments to PPP/SLIP customers that do not use the same POP. Or Static assignments
for DSL/Frame/T1 customers when they have to use dialup as a backup when a connection is
down.

John



More information about the NCLUG mailing list