Obsession with security has broken a lot of things.
In ICMP there are defined responses for "Network Unreachable" and "Host
Unreachable". Of course, today those responses are blocked and ignored -
even pings don't make it across some ISPs - like Earthlink! I suspect
pings are blocked to prevent traceroutes and timing statistics to be
collected.
Niket Patwardhan
Franck Martin wrote:
Yes it is problem 2)
and yes I realise it is difficult to solve. This is why I suggested a
new RFC...
Basically we are starting to see viruses and hackers probing our
networks... What do we do about it to preserve the Internet badwidth?
Cheers
On Thu, 2003-12-11 at 11:48, bill wrote:
So is your problem
1) That you are seeing packets outside of your address range (x.y.z/24)
in which case the upstream router incorrectly routed a packet over your
link
Or
2) That you have x.y.z/24 assigned to you, AND you are only using 10 of
those address, and you are seeing packets for the other 245 addresses
If it is 1) correct routing will eventually solve the problem. If it is
2) that would be a very hard problem to solve, having to hook up various
servers to figure out WHAT addresses have endpoints attached to them.
What do you want to happen when one of your machines reboots - so for 3
minutes isn't an endpoint. What do you expect to happen when a new
endpoint is brought up, hopefully with DHCP (the DHCP server can the the
"Endpoint survey Server" that a new host is configured), but without it
- it would be difficult (I guess the end point will eventually SEND a
packet that will hit the gateway and therefor it can be configured - but
there is a first packet problem)
Bill
-----Original Message-----
From: owner-ietf(_at_)ietf(_dot_)org
[mailto:owner-ietf(_at_)ietf(_dot_)org] On Behalf Of
Franck Martin
Sent: Wednesday, December 10, 2003 2:33 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Non terminated traffic...
Another finding...
A solution?
I see that I receive a lot of non-terminated traffic. Meaning a packet
for an IP that does not exists (about 10% inbound)
Apart from setting up ingress(?) filtering to ensure that these packets
gets dropped before they go further, I need to communicate with my
upstream provider to ensure that he/she drops these packets too before
they go on my link. Is there a way to automatise that, so a soft can
talk to my upstream provider network system and automatically inform him
on which IPs are terminated? Routing protocol aggregates IPs, so I'm not
sure it may select only valid IP and not a range where some IPs are
valid...
Is something like that exists or a new RFC is needed?
Cheers
----
Franck Martin
franck(_at_)sopac(_dot_)org
SOPAC, Fiji
GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320
"Toute connaissance est une reponse a une question" G.Bachelard
----
Franck Martin
franck(_at_)sopac(_dot_)org
SOPAC, Fiji
GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9
1320
"Toute connaissance est une reponse a une question" G.Bachelard