One thing about egress filtering which I noted recently.
If the leaf node is using VPN software, you may be in for a surprise!
At least one major vendor of VPN client software performs the Virtual
functions by re-writing the source address of the packet:
Mobile PC: -A-
VPN Gateway: -B-
Protected Server: -C-
Communicating from -A- to -C- via -B-:
On A:
Packet 1:
SRC: A
DST: B
Packet 2:
SRC: -C-
DST: B
This product rewrites the packet so that the gateway sees an incomming
packet with the final destination as the source!
(Not very nice eh?)
Regards,
Crispin Harris
> -----Original Message-----
> From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, 10 June 2001 11:59 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: This is a must read document. It will freak you out
>
>
> On Sun, 10 Jun 2001 [EMAIL PROTECTED] wrote:
>
> > Egress filtering at border points is appropriate for leaf
> networks.
>
> Which is exactly what I'm proposing.
>
> > Many ISPs, though, also ferry third-party traffic between their
> > peering points; it would be inappropriate for them to
> accept traffic
> > that an egress rule elsewhere will prevent them from delivering.
>
> Egress rules don't prevent anything from being delivered if
> the egress is
> legitimate.
>
> > This isn't to day that it can't or shouldn't be done, only that
> > determining how much filtering should be done, and at which
> routers,
> > may be less simple for multi-homed ISPs than it sounds.
>
> Once again, I'm stressing that end-user network filtering be the
> major point of egress filtering, not ISP networks.
>
> ISPs can do fairly easy filtering based on prefixes they transit or
> announce, but I agree with the contention that the
> aggragation of traffic
> is too much at those points to not affect performance by
> filtering in the
> transit space. ISP's hosting networks should, of course employ egress
> filtering, but in that case, they're acting as a leaf node,
> not a transit
> entity.
>
> Paul
> --------------------------------------------------------------
> ---------------
> Paul D. Robertson "My statements in this message are
> personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
