Re: Mail relay attempts
On Thursday, Aug 29, 2002, at 09:34 US/Eastern, Nathan E Norman wrote:
This is why all ISPs should apply filters at their ingress/egress
points. Unfortunately, many do not.
While I don't want to start a flame war here, as all discussions of
this topic seem to become, I'd just like to point out there are very
legitimate arguments that egress filtering is a bad thing.
IP routing does not have to be symmetric. It is for certain situations
very useful to have data come in one connection and leave another. Even
if those connections are from different ISPs. A recent time I did this
was to transition to a new hosting facility; the router at the old
facility was configured to forward data to the new facility over a GRE
tunnel, where it was then passed through static NAT. The data coming
out of the new facility was sent out with the old facilities IPs as the
source. Tunneling that would of been bad, because the outgoing traffic
was much, much, larger than incoming.
Another thing reverse path filtering breaks is having a mobile IP
address. Say you take your laptop with you --- it can be very useful to
have a constant IP address, especially if you want to keep, e.g., a ssh
connection open. That is fairly easily done by tunneling packets sent
to that address to the actual IP of the laptop. Data sent out from the
laptop is sent with the mobile IP address as source. No reason to
tunnel it back, that just wastes bandwidth and slows things down more.
Spoofed addresses are annoying. However, it's not really something that
can be fixed. Please don't break useful features while failing....