nanog mailing list archives
RE: On the back of other 'security' posts....
From: "Terry Baranski" <tbaranski () mail com>
Date: Sun, 31 Aug 2003 13:49:15 -0400
On Sunday, August 31, 2003 8:26 AM Stephen J. Wilcox wrote:
On Sat, 30 Aug 2003, Terry Baranski wrote: In what instances is blocking spoofed traffic at the edge not feasible? ("Spoofed" as in not sourced from one of the customer's netblocks.)Where the customer is not a basic end user.. an ISP for example who may be transiting traffic from netblocks that are not theirs.
I've been using the term "edge" to refer to a standard customer; i.e., not an ISP. I tend to think of ISP <-> ISP links as borders, but I guess the term only applies to peers. But in any case, if all ISPs put anti-spoof filters on "standard customer" edge links as well as their own upstream links, is there any need for such filters anywhere else? It might be compared to deploying protocol extensions such as S(o)BGP: the benefit gained correlates with ubiquity of the deployment.
We still have the other problem where a lot of large networks are using RFC1918 addresses that do not get NAT'd thus filtering will break pMTU.. this is an issue in my experience mainly for those who host websites, altho many of those are filtering their own packets anyway and have broken sites!
Fair enough, though most seem to consider this a broken design practice. If one of the side effects of anti-spoof filtering is that broken networks break some more, maybe that's tolerable. -Terry
Current thread:
- Re: On the back of other 'security' posts...., (continued)
- Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 30)
- RE: On the back of other 'security' posts.... Christopher L. Morrow (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Crocker (Aug 31)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 31)
- RE: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 31)
- Re: On the back of other 'security' posts.... Mans Nilsson (Aug 31)
- Re: On the back of other 'security' posts.... Paul Vixie (Aug 31)
- RE: On the back of other 'security' posts.... Stephen J. Wilcox (Aug 31)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 31)