asymmetric routing
Pim van Pelt
pim@ipng.nl
Sun, 27 Jan 2002 12:28:30 +0100
Hallo,
I had always suspected it to be the case, but recently I have been monitoring
the traffic that goes through the TunnelBroker at IPng.nl, and see that
several of my downstream users are pushing foreign traffic through my
router in Amsterdam.
I would like to bring this to your attention, because of the following.
Many people seem to believe that IPv6 is the solution to all current IPv4
problems, such as spoofing, broadcast and others.
The spoofing aspect, which is demonstrated by the IPng situation, will not
be properly taken care of unless we (the IPv6 administrators of today) set
a good example and refuse to route traffic on our borders that does not
originate within our own networks.
In the example of my tunnelbroker, I am now dropping all the traffic sourced
from outside of the IPng space, typically 3ffe:8114:2000::/52 and
3ffe:8114:1000::/48, trying to traverse the tunnelbroker from downstream
to upstream.
Is this common practice with tunnelbrokers? Does anybody want to share their
experience on this matter ? Installing these simple rulesets 'as default'
should not seem that big a deal with today's routing hardware.
What do the folk from Cisco think about these anti-spoof measures being set
to enabled state per default (user overridable of course) ?
I for one would like to see my fellow tunnelbroker admins enable these types
of rulesets on their infrastructure. It will make collecting tunnels
impossible, a thing that is common on tunnelbroker+irc land, but no longer
possible at my site.
groet,
Pim
--
---------- - - - - -+- - - - - ----------
Pim van Pelt Email: pim@ipng.nl
http://www.ipng.nl/ IPv6 Deployment
-----------------------------------------------