[NCLUG] Egress Filtering
John L. Bass
jbass at dmsd.com
Sat Aug 11 14:31:52 MDT 2001
From: Sean Reifschneider <jafo-nclug at tummy.com>
So you would vote against filtering out packets that are obviously invalid?
In Evi Nemeth's talk to BLUG last year, she quoted stats that a fairly
large percentage of the packets running across the large backbone sites
were 10.* sort of non-routable IPs, which you couldnt' expect to get a
reply by using. They big providers couldn't filter it out because of the
loads is caused...
If you're not part of the solution, you're probably part of the problem.
Frankly, my position previously stated, and YOU later ALSO stated, was that this
type of filtering belongs at the customer edge routers where it typically doesn't
create a significant single point bottle neck down stream at the ISP gateway router
trying to do egress filtering. Anyone that designs an internal network with 10. or
192.168. networks is obligated to keep those packets inside their network.
Policy does work nearly as well as filtering. ISP's should simply require their customers
not propagate 10. or 192.168. packets outside the customer network, monitor for breach,
and advise to correct or disconnect when in violation. This avoids egress filtering,
and nearly completely solves the specific problem you raise.
People who require draconian technology solutions for all problems generally create
their own problems failing to manage the complexity of their own nightmare creatation.
KISS.
John
More information about the NCLUG
mailing list