[AusNOG] Filtering services and odd things

Simon Paterson simon.paterson.nz at gmail.com
Wed Feb 17 08:19:42 EST 2016


On 16/02/16 12:38, Tristram Cheer wrote:
>
> Hi All,
>
> I came across a client on our network that is using a filtering 
> service where the client installs a device that sends all of their 
> upload traffic over an IPSec tunnel to a 3^rd party network for 
> inspection before that network then sends the request on with  the 
> “spoofed” IP of the client’s public IP so that the download stream 
> returns directly to the client.
>
At $priorjob, we 'resold' the service that Pete mentioned.
>
> Has anyone else come across this type of service before? Have you run 
> into problems with what is in effect one way traffic from a 
> SME/Residential connection? It seems to me that BCP38 would knock this 
> service out
>
We did encounter one BCP38 type issue. Port 80 traffic from clients, 
destined to our own on-net web servers (customer portal, etc), passed 
through the filtering ISP, then re-entered our network via local 
peering. As we did do BCP38 style filtering, this traffic was dropped as 
being our IPs spoofed externally.  I therefore had to create specific 
filter exceptions on all the likely ingress points for this type of traffic.

Cheers,
Simon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160217/b9e2dd3b/attachment-0001.html>


More information about the AusNOG mailing list