Date: Mon, 26 Dec 2005 21:58:24 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <danial_thom@yahoo.com>, "Loren M. Lang" <lorenl@alzatex.com> Cc: Yance Kowara <yance_kowara@yahoo.com>, freebsd-questions@freebsd.org Subject: RE: FreeBSD router two DSL connections Message-ID: <LOBBIFDAGNMAMLGJJCKNOECBFDAA.tedm@toybox.placo.com> In-Reply-To: <20051226154813.90594.qmail@web33311.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Danial Thom [mailto:danial_thom@yahoo.com] >Sent: Monday, December 26, 2005 7:48 AM >To: Ted Mittelstaedt; Loren M. Lang >Cc: Yance Kowara; freebsd-questions@freebsd.org >Subject: RE: FreeBSD router two DSL connections > > > > >--- Ted Mittelstaedt <tedm@toybox.placo.com> >wrote: > >> >> >> >-----Original Message----- >> >From: Danial Thom >> [mailto:danial_thom@yahoo.com] >> >Sent: Friday, December 23, 2005 3:47 PM >> >To: Ted Mittelstaedt; Loren M. Lang >> >Cc: Yance Kowara; >> freebsd-questions@freebsd.org >> >Subject: RE: FreeBSD router two DSL >> connections >> > >> > >> >Ted the incompetent, wrong on all counts once >> >again: >> > >> > >> >--- Ted Mittelstaedt <tedm@toybox.placo.com> >> >wrote: >> > >> >> >> >> >> >> >-----Original Message----- >> >> >From: Danial Thom >> >> [mailto:danial_thom@yahoo.com] >> >> >Sent: Wednesday, December 21, 2005 9:56 AM >> >> >To: Loren M. Lang; Ted Mittelstaedt >> >> >Cc: Yance Kowara; >> >> freebsd-questions@freebsd.org >> >> >Subject: Re: FreeBSD router two DSL >> >> connections >> >> > >> >> > >> >> >All upstream ISPs are >> >> >connected to everyone on the internet, so >> it >> >> >doesn't matter which you send your packets >> to >> >> >(the entire point of a "connectionless" >> >> network. >> >> >They both can forward your traffic to >> wherever >> >> >its going. >> >> >> >> They aren't going to forward your traffic >> >> unless >> >> it's sourced by an IP number they assign. >> To >> >> do otherwise means they would permit you to >> >> spoof IP >> >> numbers. And while it's possible some very >> >> small >> >> ISP's run by idiots that don't know any >> better >> >> might >> >> still permit this, their feeds certainly >> will >> >> not. >> > >> >Yes they will. >> >> I assure you they will not. >> >> >Routers route based on dest >> >address only. Are you somehow suggesting that >> an >> >ISP can't be dual homed and use only one link >> if >> >one goes down, since some of the addresses >> sent >> >up the remaining pipe wouldn't have source >> >addresses assigned by that upstream provider? >> >> ISP's that are dual-homed have to register >> their >> subnets with both providers. >> >> For example, suppose I'm a small ISP and I go >> get a >> Sprint connection and get assigned a range of >> 11 IP subnets, 192.168.1.0 - 192.168.10.0 >> >> These are Sprint-owned IP addresses of course. >> As >> I source traffic from 192.168.1.x, Sprint >> recognizes >> it as valid traffic and allows it to pass >> Sprint's >> ingress filter to me. >> >> Now I get a bit bigger and decide I need a >> redundant >> connection. So I contact ARIN and buy an AS >> number, >> then contact ATT and get a connection to them, >> then >> setup BGP between myself and ATT & Sprint. >> >> When ATT and I are setting up BGP, ATT's techs >> will >> ask me what subnets I'm advertising, I tell >> them >> 192.168.1.0 - 192.168.10.0 ATT then checks >> with >> ARIN's whois server to make sure Sprint has >> entered >> a record for that list of subnets that says I'm >> authorized to use them. If all that checks out >> OK >> then ATT adjusts their ingress filters so I can >> source traffic to them from those subnets. > >So if you have 2 ISPs, then both of them know >about both of your address groups, so you can >load balance any way you want, right? No, they don't know about those groups as I have just finished explaining. >Which is >why the scenario I've suggested will work in all >cases. > Which is why it won't work in all cases. >I also know tons of secondary peering ISPs that >don't do any filtering at all on incoming >traffic. Bullcrap. Prove it. Start naming names and I'll post them on NANOG and ask others opinions. I'm sure the script kiddies looking for DDoS hosts will appreciate knowing who to concentrate their attacks on. >If you're peering with multiple networks >the combinations of source addresses that are >possible to go through your network are too >mind-boggling to load your server with. Most T3 >routers deployed can barely handle their loads >without filtering every incoming packet through >ingress filters. You may think they do it, but >most don't > As I already said core routers don't filter. However, networks that do multiple peering have edge routers that they use to connect to end-node ASs and those filter. >For example, in my office I have a cable modem >and a 100Mb/s link to an ISP that happens to be >in my building. I can set my default router to >either router and it works fine. The cable modem >company will accept ANY source address and so >will the ISP. I assure you that the cable company >doesn't know of my other addresses. > Bullcrap. Once again, prove it. If you think this scenario really exists, post who is involved instead of hiding. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNOECBFDAA.tedm>