nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SYN floods (was: does history repeat itself?)

From: "Justin W. Newton" <justin () erols com>
Date: Fri, 13 Sep 1996 10:51:14 -0400
At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote:

Alex.Bligh writes:



I think you are talking about filtering inbound packets to your
router and restricting them to BGP announcements (I don't
think Avi was - see below). This would be done on the destination
address (checking it was within your announced route set) and
thus doesn't help protect against spoofed source addresses.


No, Justin's talking about filtering _customers'_ packets at Justin's
border with the customer. No BGP involved. This assumes customers that
are not providers (ie, no transit for other nets through the customer).
Good enough if all providers do the right thing (or if almost all do).

What Justin meant about his BGP announcements was that a customer's
packet is legal IFF Justin's announcing that packet's net by BGP (on
_behalf_ of the customer, not _to_ the customer). Again, customer means
a site that's not a BGP peer.


Actually what Justin was talking about is as follows...

Justin will only allow packets out of his border routers /to/ peers if they
are packets with a source address inside the ranges of addresses he
announces via BGP.  I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a
packet with an address of 192.1.1.1 out of my network into "the net at
large" but not if the packets source address was 192.1.2.1.  I will allow
any packet which I allow to enter my network into a customer's network.
Their filtering is their problem.  

Justin Newton
Internet Architect
Erol's Internet Services
- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: