Jarad is correct.  There is lack of BCP38 filtering in the CPE ASN.

Either the packet has gone

        "probe" -> CPE ->(*) recursive server -> "probe"


        "probe" -> CPE -> recursive server -> CPE ->(*) "probe"

(*) indicates the packet that should have been blocked depending apon
how the NAT worked.

In either case the CPE ASN had failed to check the source address of
a packet.  In the first case the source address of the query to the
recursive server.  In the second case the source address of the reply
back to the probe after it had been through the NAT process.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org

Reply via email to