[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Thu Mar 2 00:13:45 UTC 2006


> * Geo. wrote:
> > We can fix spoofing today without breaking anything, there is no valid
> > reason to spoof so blocking that capability takes nothing away from the
> > internet.
> 
> Unfortunly, that's not true. Spoofing is a common and wide spread technique
> to simulate multihoming without PI space. This is independant of an own AS.

	It's not spoofing when you are using addresses assigned to you.

	Such edge sites have a small range of alternate addresses.
	Both access providers would have the filters on this link
	set to accept both ranges of addresses.

	Nothing in BCP38 says that you can't source traffic with
	addresses that are assigned to you.  It says to block address
	that are not assigned to you.

	If anything breaks it is because inappropriate filters were
	applied.  I would suggest that anyone wishing to deploy
	BCP38 start off with allow rather than deny initially and
	see which filter rule is being hit and follow up to see if
	the filter needs to be broadened.

	Mark
 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list