[NCLUG] Egress Filtering
Sean Reifschneider
jafo-nclug at tummy.com
Tue Aug 14 02:58:22 MDT 2001
On Sat, Aug 11, 2001 at 02:31:52PM -0600, John L. Bass wrote:
>Policy does work nearly as well as filtering. ISP's should simply require
>their customers not propagate 10. or 192.168. packets outside the customer
>network, monitor for breach, and advise to correct or disconnect when
>in violation. This avoids egress filtering,
Heh... Many ISPs have enough trouble monitoring their own networks -- you
expect them to monitor the packets being sent by each of their clients?
Personally, I'd rather have them put a filter on to block their receiving
that traffic from me, than installing a filter that logs it so that they
can later harass me about it. Unless I'm missing something, they'd HAVE to
do that monitoring on the customer edges of their network because once it
reaches their core routers they don't know where it came from...
So, it's just as much work to set up, if not more, but it requires ongoing
monitoring and harassing of the customers... I don't think that qualifies
as KISS...
Sean
--
I have a large collection of sea shells, which I keep scattered on beaches
around the world. Maybe you've seen it... -- Steven Wright
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
More information about the NCLUG
mailing list