[AusNOG] Filtering services and odd things

Mark Andrews marka at isc.org
Tue Feb 16 10:57:54 EST 2016


In message <PS1PR03MB165960988F25CAA3586E14D496AC0 at PS1PR03MB1659.apcprd03.prod.
outlook.com>, Tristram Cheer writes:
>
> Hi All,
>
> I came across a client on our network that is using a filtering service
> where the client installs a device that sends all of their upload traffic
> over an IPSec tunnel to a 3rd party network for inspection before that
> network then sends the request on with  the "spoofed" IP of the client's
> public IP so that the download stream returns directly to the client.
> This way the filtering service doesn't have to deal with the download
> traffic volumes. Initially It seemed ok but the more I thought about it
> the more it didn't sit right with me.

It's not spoofed if it originated from the client.  The outgoing
traffic almost certainly has the public address before it enters
the IPSec tunnel so that the reply traffic can be correctly reverse
NATed otherwise it doesn't have the necessary state.

inside <-> NAT <-          ISP           <- world
               \                            /
                -> IPSec Tunnel -> filter >-

> Has anyone else come across this type of service before? Have you run
> into problems with what is in effect one way traffic from a
> SME/Residential connection? It seems to me that BCP38 would knock this
> service out and if the ISP was doing any sort of inspection that would
> require both up and down streams it may break their connection/degrade
> it. Whilst it's technically ok it just seems a little off for a
> non-enterprise connection to potentially be acting "odd". Not looking at
> the pro's and con's of filtering but just thought I'd put it to the list
> to see what everyone's thoughts are on it :)

Why should the ISP care about seeing both sides of a stream?  The
ISP's job is to ship packets.  Asymetric routing happens all the
time.  This is just a example of it.

> Cheers
>
>
> TRISTRAM CHEER
> UBER GROUP LIMITED
> NETWORK ARCHITECT - MOST PROBLEMS ARE THE RESULT OF PREVIOUS SOLUTIONS...
>
> [Facebook]<https://www.facebook.com/UberGroup?_rdr=p> [Twitter]
> <https://twitter.com/ubergroupltd>
>
> E: t at uber.co.nz<mailto:t at uber.co.nz>
> P: 09 438 5472 Ext 803 | M: 022 412 1985 | W:
> www.uber.co.nz<http://www.uber.co.nz>
> 53 PORT ROAD | PO BOX 5083 | WHANGAREI | NEW ZEALAND
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the AusNOG mailing list