nanog mailing list archives
Re: source filtering
From: Jared Mauch <jared () puck nether net>
Date: Tue, 12 Jan 1999 13:06:47 -0500
On Tue, Jan 12, 1999 at 05:51:36PM +0000, Alex Bligh wrote:
2) Using the "ip verifiy unicast reverse-path" Cisco feature (it's in 11.1CC images when you use CEF, so I don't get a flood of e-mails)I'm sure far more people would source filter if Cisco put this in CPE routers.
This does not mean you can't filter on your fastether, ether, fddi, etc.. that goes to customer aggregation boxes, or on the T1 where that connectivity hits your core backbone node, (I understand there are cases where this would not work, for some larger customers perhaps), but for most cases, this would be possible. If i have network topology that provides the following scenario: upstream | +----------+ | core rtr |--- N x backbone link(s) +----------+ \ \ +------------+ -| access lan | +------------+ Where access lan is any number of customer aggregation boxes, such as 36xx w/ t1 intfs, (dial) access boxes, etc, you can source filter that lan at that point instead of the edge. If you manage lans similar to this, you shouldn't allow your dial customers to spoof and start these attacks. - Jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- source filtering Jared Mauch (Jan 12)
- Re: source filtering Alex Bligh (Jan 12)
- Re: source filtering Jared Mauch (Jan 12)
- Re: source filtering Alex Bligh (Jan 12)
- Re: source filtering Dan Hollis (Jan 12)
- Re: source filtering Craig A. Huegen (Jan 12)
- Re: source filtering Craig A. Huegen (Jan 12)
- Re: source filtering Dan Hollis (Jan 12)
- Re: source filtering Daniel Senie (Jan 12)
- Re: source filtering Jared Mauch (Jan 12)
- Re: source filtering Dalvenjah FoxFire (Jan 12)
- Re: source filtering Alex Bligh (Jan 12)
- Re: source filtering Phillip Vandry (Jan 12)
- <Possible follow-ups>
- Re: source filtering prue (Jan 12)