[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISP port blocking practice

Subject: ISP port blocking practice
From: nanog-post at rsuc.gweep.net (Joe Provo)
Date: Mon, 26 Oct 2009 06:03:59 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

[tangent of interst for the archives]

On Sat, Oct 24, 2009 at 02:07:42PM -0500, Joe Greco wrote:
[snip]
> If I'm assigned 24.1.2.3 by Comcast, and Comcast filters my ingress to
> prevent me from emitting other addresses, you claim that's fine because
> it's BCP38.
> 
> There's a problem:  I can validly emit a variety of other addresses, in
> particular any address in 206.55.64.0/20 and some other networks.  I am
> not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a
> Comcast pipe.

Only in your service agreement allows this.  Most folks realized both
- the bad guys figured out this 'triangle routing' ages ago (was common
  to send bulk abuse traffic down broadband and receive the ack stream
  on dialup Back In The Day) and specificlly disallow it.
- such hacks to attempt multihoming without BGP fail in spectacular 
  ways nd can't be reled on for any real traffic.

So while you may have an allocation and therefore not be 'forging' by 
strict definitions, you are injecting martian traffic as far as the 
resi broadband provider is concerned and it should be dropped.

-- 
             RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

References:
- ISP port blocking practice
  - From: owen at delong.com (Owen DeLong)
- ISP port blocking practice
  - From: jgreco at ns.sol.net (Joe Greco)

Prev by Date: ISP port blocking practice/Free Speech
Next by Date: Simple Change Management Tracking
Previous by thread: ingress filtering and multiple Internet conenctions
Next by thread: ISP port blocking practice
Index(es):
- Date
- Thread