Re: Mail relay attempts

[Anthony DeRobertis <asd@suespammers.org>]

On Thursday, Aug 29, 2002, at 09:34 US/Eastern, Nathan E Norman wrote:

> This is why all ISPs should apply filters at their ingress/egress
> points.  Unfortunately, many do not.

While I don't want to start a flame war here, as all discussions of 
this topic seem to become, I'd just like to point out there are very 
legitimate arguments that egress filtering is a bad thing.

IP routing does not have to be symmetric. It is for certain situations 
very useful to have data come in one connection and leave another. Even 
if those connections are from different ISPs. A recent time I did this 
was to transition to a new hosting facility; the router at the old 
facility was configured to forward data to the new facility over a GRE 
tunnel, where it was then passed through static NAT. The data coming 
out of the new facility was sent out with the old facilities IPs as the 
source. Tunneling that would of been bad, because  the outgoing traffic 
was much, much, larger than incoming.

Another thing reverse path filtering breaks is having a mobile IP 
address. Say you take your laptop with you --- it can be very useful to 
have a constant IP address, especially if you want to keep, e.g., a ssh 
connection open. That is fairly easily done by tunneling packets sent 
to that address to the actual IP of the laptop. Data sent out from the 
laptop is sent with the mobile IP address as source. No reason to 
tunnel it back, that just wastes bandwidth and slows things down more.

Spoofed addresses are annoying. However, it's not really something that 
can be fixed. Please don't break useful features while failing....