Obsession with security has broken a lot of things. In ICMP there are defined responses for "Network Unreachable" and "Host Unreachable". Of course, today those responses are blocked and ignored - even pings don't make it across some ISPs - like Earthlink! I suspect pings are blocked to prevent traceroutes and timing statistics to be collected. Niket Patwardhan Franck Martin wrote: > > Yes it is problem 2) > > and yes I realise it is difficult to solve. This is why I suggested a > new RFC... > > Basically we are starting to see viruses and hackers probing our > networks... What do we do about it to preserve the Internet badwidth? > > Cheers > > On Thu, 2003-12-11 at 11:48, bill wrote: > > So is your problem > 1) That you are seeing packets outside of your address range (x.y.z/24) > in which case the upstream router incorrectly routed a packet over your > link > Or > 2) That you have x.y.z/24 assigned to you, AND you are only using 10 of > those address, and you are seeing packets for the other 245 addresses > > If it is 1) correct routing will eventually solve the problem. If it is > 2) that would be a very hard problem to solve, having to hook up various > servers to figure out WHAT addresses have endpoints attached to them. > What do you want to happen when one of your machines reboots - so for 3 > minutes isn't an endpoint. What do you expect to happen when a new > endpoint is brought up, hopefully with DHCP (the DHCP server can the the > "Endpoint survey Server" that a new host is configured), but without it > - it would be difficult (I guess the end point will eventually SEND a > packet that will hit the gateway and therefor it can be configured - but > there is a first packet problem) > > Bill > -----Original Message----- > From: owner-ietf@xxxxxxxx [mailto:owner-ietf@xxxxxxxx] On Behalf Of > Franck Martin > Sent: Wednesday, December 10, 2003 2:33 PM > To: ietf@xxxxxxxx > Subject: Non terminated traffic... > > Another finding... > > A solution? > > I see that I receive a lot of non-terminated traffic. Meaning a packet > for an IP that does not exists (about 10% inbound) > > Apart from setting up ingress(?) filtering to ensure that these packets > gets dropped before they go further, I need to communicate with my > upstream provider to ensure that he/she drops these packets too before > they go on my link. Is there a way to automatise that, so a soft can > talk to my upstream provider network system and automatically inform him > on which IPs are terminated? Routing protocol aggregates IPs, so I'm not > sure it may select only valid IP and not a range where some IPs are > valid... > > Is something like that exists or a new RFC is needed? > > Cheers > > ---- > Franck Martin > franck@xxxxxxxxx > SOPAC, Fiji > GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 1320 > "Toute connaissance est une reponse a une question" G.Bachelard > > ---- > Franck Martin > franck@xxxxxxxxx > SOPAC, Fiji > GPG Key fingerprint = 44A4 8AE4 392A 3B92 FDF9 D9C6 BE79 9E60 81D9 > 1320 > "Toute connaissance est une reponse a une question" G.Bachelard