[AusNOG] Filtering services and odd things

Ben Hohnke settra+ausnog at gmail.com
Tue Feb 16 11:01:17 EST 2016 

I agree - why would an ISP need to track connections? (Unless they were
behind CGNAT)

On Tue, Feb 16, 2016 at 10:58 AM Mark Andrews <marka at isc.org> wrote:

>
> In message
> <PS1PR03MB165960988F25CAA3586E14D496AC0 at PS1PR03MB1659.apcprd03.prod.
> outlook.com>, Tristram Cheer writes:
> >
> > Hi All,
> >
> > I came across a client on our network that is using a filtering service
> > where the client installs a device that sends all of their upload traffic
> > over an IPSec tunnel to a 3rd party network for inspection before that
> > network then sends the request on with  the "spoofed" IP of the client's
> > public IP so that the download stream returns directly to the client.
> > This way the filtering service doesn't have to deal with the download
> > traffic volumes. Initially It seemed ok but the more I thought about it
> > the more it didn't sit right with me.
>
> It's not spoofed if it originated from the client.  The outgoing
> traffic almost certainly has the public address before it enters
> the IPSec tunnel so that the reply traffic can be correctly reverse
> NATed otherwise it doesn't have the necessary state.
>
> inside <-> NAT <-          ISP           <- world
>                \                            /
>                 -> IPSec Tunnel -> filter >-
>
> > Has anyone else come across this type of service before? Have you run
> > into problems with what is in effect one way traffic from a
> > SME/Residential connection? It seems to me that BCP38 would knock this
> > service out and if the ISP was doing any sort of inspection that would
> > require both up and down streams it may break their connection/degrade
> > it. Whilst it's technically ok it just seems a little off for a
> > non-enterprise connection to potentially be acting "odd". Not looking at
> > the pro's and con's of filtering but just thought I'd put it to the list
> > to see what everyone's thoughts are on it :)
>
> Why should the ISP care about seeing both sides of a stream?  The
> ISP's job is to ship packets.  Asymetric routing happens all the
> time.  This is just a example of it.
>
> > Cheers
> >
> >
> > TRISTRAM CHEER
> > UBER GROUP LIMITED
> > NETWORK ARCHITECT - MOST PROBLEMS ARE THE RESULT OF PREVIOUS SOLUTIONS...
> >
> > [Facebook]<https://www.facebook.com/UberGroup?_rdr=p> [Twitter]
> > <https://twitter.com/ubergroupltd>
> >
> > E: t at uber.co.nz<mailto:t at uber.co.nz>
> > P: 09 438 5472 Ext 803 | M: 022 412 1985 | W:
> > www.uber.co.nz<http://www.uber.co.nz>
> > 53 PORT ROAD | PO BOX 5083 | WHANGAREI | NEW ZEALAND
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160216/fbb78614/attachment.html>

More information about the AusNOG mailing list