"jose orlando t. ribeiro" wrote:
>
> Bob,
>
> Pierre is right...
But Jose nailed it first! Let's not forget that Bob did a nice job of getting
the "filter" piece of the puzzle... Nice teamwork!
[more below]
> I was trying to trace the other machine (216.153.135.10) but I
> couldn't... that machine is down or filtered...
>
> but, here we go... 64.65.210.2 is your isp's router... 64.65.206.1 is
> the interface in that router serving as your router...
>
> my last hop before 216.153.135.10 was 64.65.210.2... the same guy that
> works as your router...
>
> so your machine 216.153.135.10 to 64.65.206.24...
>
> lets do a fictious trace...
>
> 216.153.135.10> traceroute 64.65.206.24
>
> 1 20 ms 19 ms 21 ms 64.65.210.2
> 2 19 ms 19 ms 20 ms 64.65.206.1
> 3 22 ms 21 ms 20 ms 64.65.206.24
>
> (until now everything is ok! your machine replyed... lets continue...)
>
> 4 21 ms 25 ms 27 ms 208.178.159.66
> 5 21 ms 32 ms 85 ms 208.178.159.65
>
> (we are leaving your network by the T1! oh my god!!!)
>
> 6 32 ms 30 ms 24 ms 64.65.210.2
>
> (we are close now!!! very close!!! :-)
>
> but... your ISP's router says...
>
> -Hey!! that packet... it header says it comes from 64.65.206.24! That
> packet is coming from my network! But... if it's from my network... why
> it cames from the other ISP's network??? Filter!! Filter!!!
>
> The filter says:
>
> -Aha!!! A spoof!!! A spoof!! I knew it would happen!!! That freakin'
> bastard is trying to spoof us! DOS!! DOS! Attacks... I knew it!
>
> - Lets see the rules... the rules says... DISCARD!! lets discard the
> bastard!! We saved the world...
>
> So your packets never reach the other machine...
>
> Sorry... I know that the answer is colorful... but I need to stay
> awake... :-)))
I just got up... and can say Jose pretty much nailed the scenario...
The problem is that most ISPs only understand the "concepts", rarely how to
apply the remedies... in this case, Bob is obviously NOT the typical
"end-user". For one, he has TWO routes to the 'net via separate ISPs...
Bob, (now that I am slowly shaking off the post-sleep groggyness... :^) you
should try to have a meeting or conf call with both ISPs at the same time and
have them work out a design which accomodates their anti-spoofing efforts AND
allows you to operate your network with the redundancy you are paying for.
[Sidebar: each ISP is not getting "redundancy" revenue directly; BUT *each* is
getting your business, so if they argue your redundancy position, ask them if
ISP#3 would like ALL your business... :^) ] My SWAG is that this will involve
one or both ISPs giving you new IP addresses which will allow your traffic to
circumvent their general policy filters (one tier above the home user
addresses). They may want to come up with second tier policy filters (may even
already have them) to make sure they satisfy their bosses' requirements for
anti-spoofing; but that's a problem of the ISPs coordinating their efforts...
On another topic, and to avoid future issues, you may also want to consider
having the ISPs help you come up with a plan which will allow you to
automatically failover to the DSL in the event of a T1 failure. This might
involve them feeding you RIP default routes and you running RIP and setting the
DSL "administratively farther"... Don't let them try to charge you for this,
or you will "charge them for your consulting services"... :^D
[snipped Bob's reply to mine which was posted before the "admin filter" info]
Good luck,
Pierre
