[dns-operations] DNS deluge for x.p.ctrc.cc
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 2 00:13:45 UTC 2006
> * Geo. wrote:
> > We can fix spoofing today without breaking anything, there is no valid
> > reason to spoof so blocking that capability takes nothing away from the
> > internet.
>
> Unfortunly, that's not true. Spoofing is a common and wide spread technique
> to simulate multihoming without PI space. This is independant of an own AS.
It's not spoofing when you are using addresses assigned to you.
Such edge sites have a small range of alternate addresses.
Both access providers would have the filters on this link
set to accept both ranges of addresses.
Nothing in BCP38 says that you can't source traffic with
addresses that are assigned to you. It says to block address
that are not assigned to you.
If anything breaks it is because inappropriate filters were
applied. I would suggest that anyone wishing to deploy
BCP38 start off with allow rather than deny initially and
see which filter rule is being hit and follow up to see if
the filter needs to be broadened.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list