nanog mailing list archives

Re: ingress filtering

From: Jared Mauch <jared () puck nether net>
Date: Thu, 28 May 1998 14:57:44 -0400

        The great thing about the CC images released by cisco
(as long as you're running with ip cef or ip cef dist), you can turn
this neato command on your interfaces to your customers:

        ip verify unicast reverse-path

        This automatically does filtering based on your local routers
routing table.

        This means you can take a customer connection and filter them.

        You will encounter problems if they are multihomed and have
netblocks that you don't route directly to them, but you can make
those changes later as they multihome.  We've had a few problems with
our customers and doing this, when we don't route all their address
space, but this is easily fixed.  Asymetrical routing is an evil you
have to live with and adjust to, so if you have more than
one upstream, I would not apply such filters to those interfaces.

        I would recommend that everyone who has the ability to do this
on their routers do so.  This will help many possible problems.

        If we can get enough people to make this part of their default
configuration (such as no ip directed-broadcast is these days) on their
ports to customers, we could prevent many DoS attacks.  If you have
dialup lans (ie: mci, uunet, etc.. who have big public dialup pools)
PLEASE filter these, as well as the smaller providers out there.

        - jared

On Thu, 28 May 1998, Mr. Dana Hudes wrote:

Who *does* do ingress filtering? I have it on our border routers
and customer connect ports. We have transit from MCI and UUNET.
Neither has ingress filters -- see below message from MCI on
this.

Subject: Re: RFC1918 addresses from MCI
   Date: Thu, 28 May 1998 08:16:23 -0700
   From: security () mci net
      To: dhudes () graphnet com
     CC: security () mci net

Mr. Hudes,

Thank you for your note.  MCI does not currently source filter
address
space at it's ingress points.  Addresses sourced from
non-routable or
invalid addresses are not blocked or filtered.  Addresses
destined to
non-routable addresses spaced are not routed.

If you think it is a security issue and it is on-going then
please
contact us with the target address so we can investigate.


-- 
       Work: jared () qual net - We Make The Internet Work for Your Business
             9-5pm(ET) 800 637 4424x2634 - 24x7 NOC - 800 424 3223
            pgp key available via finger from jared () puck nether net

Current thread:

ingress filtering Mr. Dana Hudes (May 28)
- Re: ingress filtering Brian Horvitz (May 28)
  - Message not available
    - Re: ingress filtering Jared Mauch (May 28)
    - Re: ingress filtering Michael Shields (May 29)
- <Possible follow-ups>
- Re: ingress filtering John Fraizer (May 28)
  - Re: ingress filtering Eric Germann (May 29)
- Re: ingress filtering prue (May 28)
- RE: ingress filtering Eric Germann (May 29)
- RE: ingress filtering jeyers (May 29)
- RE: ingress filtering John Fraizer (May 29)
- Re: ingress filtering John Fraizer (May 29)
  - Re: ingress filtering Eric Germann (May 29)
- RE: ingress filtering John Fraizer (May 30)