Re: Things to do to make the network better

[Pete Ashdown <pashdown () xmission com>]

Owen DeLong said once upon a time:

> > I will also point out that many of the recent "smurf" attacks and
> > similar problems people are having on the net would be gone if people
> > would just carefully filter internal/external addresses on their
> > border machines, that is, prevent packets claiming to be from "inside"
> > networks from coming in from the "outside", and prevent packets
> > claiming to be from "outside" networks from going out from the
> > "inside". The latter will stop your network from *ever* being the
> > source of a wide variety of packet forgery attacks, and is necessary
> > to being a good network citizen. The former will stop your network
> > from being the subject of a wide variety fo packet forgery attacks,
> > and is necessary to make your customers even remotely safe on the net.

Expecting everyone else to do the right thing is the wrong way to solve the
problem.  99% of everyone else will always do the easiest thing, which is
nothing.

> That's great if you're a downstream provider with no transit customers.
> However, when you become a transit provider, it becomes much more difficult
> to determine inside vs. outside, since you're more in the middle between
> two "outsides" that pass traffic through you.

Use customer configurable filters.  There is no excuse for becoming less
responsible as you grow larger.