[6bone] non-global address space for IXs (was: 2001:478:: as /48)

Gert Doering gert@space.net
Sun, 7 Sep 2003 21:26:02 +0200

Previous message: [6bone] non-global address space for IXs (was: 2001:478:: as /48)
Next message: [6bone] non-global address space for IXs (was: 2001:478:: as /48)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Sun, Sep 07, 2003 at 02:41:25PM -0400, John Fraizer wrote:
> > Source IP Filtering (as in "dropping packets sourced from there") will
> > break PMTU-D.  Route filtering (as in "not knowing where to send 
> > answer packets to", which isn't needed here) won't.
> 
> If you're not running RPF, I have to ask, Why Not?  Do you just want
> desperately to be the source of spoofed traffic?

Running uRPF *towards our customers* will prevent sourcing of spoofed
traffic from our network.  Which is good, and which we do.  Which you know.

Running uRPF towards our upstream doesn't help that much (we *do* have
access-list based filters that prevent spoofed packets carrying our
source addresses from coming in that way) but is much more likely to
break things.

> RPF, combined with IX address space not being in the routing table will
> break PMTU-D.

Sure.

(Which actually makes the whole discussion turn into a circle - as it
*might* break things for some people, it's not overly useful to go for
an IXP addressing system that is quite likely to hit default filtering
rules full-speed).

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  55575  (56535)

SpaceNet AG                 Mail: netmaster@Space.Net
Joseph-Dollinger-Bogen 14   Tel : +49-89-32356-0
80807 Muenchen              Fax : +49-89-32356-299

Previous message: [6bone] non-global address space for IXs (was: 2001:478:: as /48)
Next message: [6bone] non-global address space for IXs (was: 2001:478:: as /48)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]