On 15 okt 2003, at 23:24, Michel Py wrote:
RFC 2827 provides exactly these recommendations.
[FYI: RFC 2827 is about ingress filtering to stop source address
spoofing]
Does it? We are not talking about blocking RFC1918 traffic here;
I was.
what we
are talking is blocking traffic where both SA(after NAT) and DA are
public that contains a DNS request for a PRT like 8191CFR.in-addr.arpa,
which requires to decapsulate the packet to inspect its content. It's
not that simple.
I don't feel that a lookup for <something>.10.in-addr.arpa is all that
wrong. This can be handled in many very reasonable ways, and the usual
caching applies. Requests with unroutable sources are wrong because
they break the protocol.
Iljitsch