Re: Blocking spoofing at the source (was: ICMP Attacks??)

[Robert Sanders <rsanders () mindspring net>]

Phil Howard <phil () charon milepost com> writes:

> As long as _one_ _of_ _the_ _routes_ would go back on the interface the
> packet arrived on, not necessarily the best route, then the logic would
> work in the majority of cases that I know of.
>
> But this could require a more extensive route lookup, which would do more
> than just double the CPU time looking up routes.

Not necessarily.  For routers at the very edge of the network, each
interface probably has a small and fairly static set of route
candidates through it.  The router could automatically update a magic
IP traffic filter that's updated whenever the set of routes through
the interface changes.  This, possibly coupled with some aggressive
aggregation, is for most cases a Simple Matter Of Programming that
wouldn't significantly impact router performance.  Even at the core,
the cost of updating filter lists due to route flap has to be much,
much less than the cost of doubling (or worse) the number of route
table lookups per packet forwarded.

regards,
  -- Robert