[SLUG] Re: [Oz-ISP] Internet connection curiosity (further)

[John Allan - Lists <johna-lists@xxxxxxxxxxxxx>]

> Someone suggested (I forget who, but tks all the same) that it might be a
> defrag problem so I went to look at the firewall logs and indeed there
> were ICMP defrag packets, but from RFC1918 addresses, so they were being
> blocked by the firewall.
>
> I have a strict firewall policy of blocking any packet with an RFC1918
> address, whether source or destination, or an inbound packet with a source
> address from the site assigned IP block, or an outbound packet to a
> destination address from the site assigned IP block.

Which is a good idea.

I am aware of an ISP who runs all of their router interfaces using 
point-point links (where you or I would just throw a /29 or /30 at it and 
be done with it) on RFC1918 address space.  They don't think this is a 
problem.  I do.  Same sorts of problem.

Most backbone providers block RFC1918 addresses at various points along the 
way.  Solution is to tell those people who have put in kludges to fix them.

> My question is: Should I stick with that strict policy, or am I safe in
> relaxing it for ICMP messages just to suit inconsiderate ISPs who refuse
> to comply with RFC1918?

IMHO no.  Other less-relaxing-than-you backbone providers will block this 
traffic anyway - so you allowing it will only fix the problem where the 
source of the private address space is close enough to you that there isn't 
a sink hole in the middle.

Seen this same problem before anyway.  Only solution is to "fix" it.  :-)

Cheers,

John