[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mail relay attempts

On Thursday, Aug 29, 2002, at 09:34 US/Eastern, Nathan E Norman wrote:

This is why all ISPs should apply filters at their ingress/egress
points.  Unfortunately, many do not.

While I don't want to start a flame war here, as all discussions of this topic seem to become, I'd just like to point out there are very legitimate arguments that egress filtering is a bad thing.

IP routing does not have to be symmetric. It is for certain situations very useful to have data come in one connection and leave another. Even if those connections are from different ISPs. A recent time I did this was to transition to a new hosting facility; the router at the old facility was configured to forward data to the new facility over a GRE tunnel, where it was then passed through static NAT. The data coming out of the new facility was sent out with the old facilities IPs as the source. Tunneling that would of been bad, because the outgoing traffic was much, much, larger than incoming.

Another thing reverse path filtering breaks is having a mobile IP address. Say you take your laptop with you --- it can be very useful to have a constant IP address, especially if you want to keep, e.g., a ssh connection open. That is fairly easily done by tunneling packets sent to that address to the actual IP of the laptop. Data sent out from the laptop is sent with the mobile IP address as source. No reason to tunnel it back, that just wastes bandwidth and slows things down more.

Spoofed addresses are annoying. However, it's not really something that can be fixed. Please don't break useful features while failing....

Reply to: