On Wed, 19 Apr 2017, Brian Kantor wrote:
(Please trim inclusions from previous messages) Several sources of ipencap'd packets being received by amprgw have non-44 inner source addresses.
Would you all agree that a protocol-4 (ipencap) packet reaching the UCSD gateway should always have an inner (encap'd) source address on the 44-net? And that those that don't should be considered bogus and be discarded?
Quite clearly they can be discarded.
They *should* be discarded; they can be attempts to use the router as a bouncer point for network attacks.
For an IPIP packet, if the inner src is in 44/8 and the destination is not in 44/8, the packet can be accepted; the amprnet host is communicating with the outside Internet. But I would believe all other cases to be mostly config issues.
* src in 44/8, dst not in 44/8: OK, amprnet host talking to the Internet
* src in 44/8, dst in 44/8: the sender gateway has a silly default route towards USCD and has not loaded the full mesh encap route table, could probably drop unless you wish to support this use case (star network topology instead of mesh)
* src not in 44/8: totally bogus, ipip packets should be originated by amprnet gateways only
- Hessu, OH7LZB