20 Apr
2017
20 Apr
'17
4:45 a.m.
On Wed, 19 Apr 2017, Brian Kantor wrote:
(Please trim inclusions from previous messages)
Several sources of ipencap'd packets being received by amprgw
have non-44 inner source addresses.
Would you all agree that a protocol-4 (ipencap) packet reaching
the UCSD gateway should always have an inner (encap'd) source
address on the 44-net? And that those that don't should be
considered bogus and be discarded?
Quite clearly they can be discarded.
They *should* be discarded; they can be attempts to use the router as a
bouncer point for network attacks.
For an IPIP packet, if the inner src is in 44/8 and the destination is not
in 44/8, the packet can be accepted; the amprnet host is communicating
with the outside Internet. But I would believe all other cases to be
mostly config issues.
* src in 44/8, dst not in 44/8: OK, amprnet host talking to the Internet
* src in 44/8, dst in 44/8: the sender gateway has a silly default route
towards USCD and has not loaded the full mesh encap route table, could
probably drop unless you wish to support this use case (star network
topology instead of mesh)
* src not in 44/8: totally bogus, ipip packets should be originated by
amprnet gateways only
- Hessu, OH7LZB