Re: Packets from net 10 (no, not the lyrics)

["John A. Tamplin" <jat () traveller com>]

On Tue, 23 Sep 1997, Todd R. Stroup wrote:

> You want to filter on an interface for this?  If you get the route into
> your routing table thats where the problem starts.  Attaching the filter
> to the peer session will at least get rid of the bad routes from the
> start.  I would rather use CPU on keeping the BGP sessions clean than
> wasting it on checking the interface for packets with 10/8.  If anyone
> has any better suggestions, I would love to hear them. 

Maybe I am missing something, but we use an inbound access list on all
external links that eliminates IP address spoofing, as well as some basic
security issues (blocking NFS, r* commands, etc just in case some machine
inside is misconfigured).  If you have an inbound access list that filters
based on the source address already, why would you not add the private 
addresses to that?

John Tamplin                                    Traveller Information Services
jat () Traveller COM                            2104 West Ferry Way
205/883-4233x7007                               Huntsville, AL 35801