FreeBSD router two DSL connections

[Danial Thom]

--- Ted Mittelstaedt <tedm at toybox.placo.com>
wrote:

> 
> 
> >-----Original Message-----
> >From: Danial Thom
> [mailto:danial_thom at yahoo.com]
> >Sent: Friday, December 23, 2005 3:47 PM
> >To: Ted Mittelstaedt; Loren M. Lang
> >Cc: Yance Kowara;
> freebsd-questions at freebsd.org
> >Subject: RE: FreeBSD router two DSL
> connections
> >
> >
> >Ted the incompetent, wrong on all counts once
> >again:
> >
> >
> >--- Ted Mittelstaedt <tedm at toybox.placo.com>
> >wrote:
> >
> >> 
> >> 
> >> >-----Original Message-----
> >> >From: Danial Thom
> >> [mailto:danial_thom at yahoo.com]
> >> >Sent: Wednesday, December 21, 2005 9:56 AM
> >> >To: Loren M. Lang; Ted Mittelstaedt
> >> >Cc: Yance Kowara;
> >> freebsd-questions at freebsd.org
> >> >Subject: Re: FreeBSD router two DSL
> >> connections
> >> >
> >> >
> >> >All upstream ISPs are
> >> >connected to everyone on the internet, so
> it
> >> >doesn't matter which you send your packets
> to
> >> >(the entire point of a "connectionless"
> >> network.
> >> >They both can forward your traffic to
> wherever
> >> >its going.
> >> 
> >> They aren't going to forward your traffic
> >> unless
> >> it's sourced by an IP number they assign. 
> To
> >> do otherwise means they would permit you to
> >> spoof IP
> >> numbers.  And while it's possible some very
> >> small
> >> ISP's run by idiots that don't know any
> better
> >> might
> >> still permit this, their feeds certainly
> will
> >> not.
> >
> >Yes they will.
> 
> I assure you they will not.
> 
> >Routers route based on dest
> >address only. Are you somehow suggesting that
> an
> >ISP can't be dual homed and use only one link
> if
> >one goes down, since some of the addresses
> sent
> >up the remaining pipe wouldn't have source
> >addresses assigned by that upstream provider?
> 
> ISP's that are dual-homed have to register
> their
> subnets with both providers.
> 
> For example, suppose I'm a small ISP and I go
> get a
> Sprint connection and get assigned a range of
> 11 IP subnets, 192.168.1.0 - 192.168.10.0
> 
> These are Sprint-owned IP addresses of course. 
> As
> I source traffic from 192.168.1.x, Sprint
> recognizes
> it as valid traffic and allows it to pass
> Sprint's 
> ingress filter to me.
> 
> Now I get a bit bigger and decide I need a
> redundant
> connection.  So I contact ARIN and buy an AS
> number,
> then contact ATT and get a connection to them,
> then
> setup BGP between myself and ATT & Sprint.
> 
> When ATT and I are setting up BGP, ATT's techs
> will
> ask me what subnets I'm advertising, I tell
> them
> 192.168.1.0 - 192.168.10.0  ATT then checks
> with
> ARIN's whois server to make sure Sprint has
> entered
> a record for that list of subnets that says I'm
> authorized to use them.  If all that checks out
> OK
> then ATT adjusts their ingress filters so I can
> source traffic to them from those subnets. 
> 
> Now I get even bigger and need more IP's than
> what
> Sprint will provide, so I go to ARIN and buy
> them.
> Then all my feeds have to adjust their ingress
> filters
> to the new subnet.
> 
> Now I get even more bigger and I start trying
> to setup
> peering relationships with other networks, so I
> don't have to pay them directly.  Well now
> guess what,
> those networks are now monitoring the traffic
> volume
> I'm sending them, because they don't want me to
> use
> and abuse them and give them little peering in
> return.
> So I now have an enormous financial incentive
> to make
> sure that any traffic coming from any of my end
> users
> is in fact valid traffic, so you better believe
> I'm
> going to enforce that with ingress filters to
> my
> downstream customers.
> 
> Anyway, this is all academic because the
> wrongly-sourced
> packet won't even get into my network to be
> forwarded
> and blocked by ATT or Sprint, or my peer
> routers, in the
> first place.  Why? Because every
> wrongly-sourced packet
> I allow a customer to send to me, can
> potentially displace
> a correct packet from a customer, making their
> traffic slower
> and setting up potential for complaints.
> 
> The ONLY Internet routers that don't igress
> filter today are
> transit routers run by transit ASs, and no
> network that
> is worth anything allows direct connections to
> those
> routers to their end-user customers.  There is
> just too much
> potential for abuse, and even more potential
> for being
> blackholed as a rogue network by the rest of
> the Internet.
> 
> Everybody today that knows anything
> about what they are doing, applies ingress
> filters, or
> they require their downstreams to ingress
> filter.  In fact I'd
> say this is one of the reasons Cisco was
> disloged
> as the core router vendor by Juniper, because
> of the need
> for enough CPU in routers closer and closer to
> the core
> to be able to run access lists.
> 
> Chances today that a cable line or a DSL line
> going to an
> end user could get a packet with a non-network
> source
> very far in to the Internet are zilch.
> 
> One of the largest sources of bogus source IP
> numbers in
> fact are those cheap-as-shit DSL/Cable routers,
> as some
> of those models will ARP both their legal WAN
> IP address,
> and the LAN IP addresses, on their WAN port. 
> All of the
> ActionTec routers do this in bridged mode, for
> example,
> and Qwest has thousands of them deployed.  And
> the second
> largest source are infected PC's
> that have DDoS trojans on them, which some
> mothership

You're not using illegal addresses when you load
balance, Ted. You're using real address that all
of your upstream ISPs need to know about. Why
can't you grasp this concept?

DT


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com