nanog mailing list archives
Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
From: Jared Mauch <jared () puck Nether net>
Date: Tue, 9 Oct 2001 11:57:14 -0400
Recent versions of IOS support a cool feature: "ip verify unicast source reachable-via any" which can be installed on interfaces. This will silently drop (assuming you're using cef) packets sourced from prefixes that you do not have a route for. ie: if you don't have 10/8 in your routing table, and someone sends you a packet sourced from 10.0.0.3 it will get dropped. that will drop all your rfc1918 space (with the obvious caveat of if you route it) at the edge or in the core easily. as for non-packet filters, i defer to the plethora of threads - jared On Tue, Oct 09, 2001 at 07:58:19AM -0700, Grant A. Kirkwood wrote:
Not to beat an already-decaying horse, BUT... I'm currently in the process of setting up a new border router, and the recent debate on the above topic got me wondering what the best practice filtering policy is? Is there one? And what do people put in place in terms of anti-spoofing ACLs and such? There's a wealth of information on these topics, but no real consensus. Or am I just reopening an ugly can of worms here? TIA, -- Grant A. Kirkwood - grant () virtical net Chief Technology Officer - Virtical Solutions, Inc. http://www.virtical.net/
-- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot) Grant A. Kirkwood (Oct 09)
- Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot) Jared Mauch (Oct 09)
- Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot) E.B. Dreger (Oct 09)
- Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Rob Thomas (Oct 09)
- Changed Cisco Memory Policy?? Walters (Oct 12)
- Re: Changed Cisco Memory Policy?? Paul Timmins (Oct 12)
- Re: Changed Cisco Memory Policy?? Rodney Dunn (Oct 12)
- Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Rob Thomas (Oct 09)
- Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot) Andreas Plesner Jacobsen (Oct 10)