Re: NSPs and filters

[Phil Howard <phil () charon milepost com>]

> Its not feasible to filter packets on customer gateway routers.  When you
> impose a packet filter on a GW router customer interface, all packets  
> destined to that customer have to be matched to an access-list and then
> forwarded down the pipe or dropped.  This increases the load on the  
> router CPU, because it is used to switching the packets.  Now you have to
> analyze each packet which takes up CPU time.
>
> This is not a nice thing to do to a router, especially while the router is
> trying to keep up with 50 other customers...  And if more than 1 customer
> wants this type of service, you start really feeling the load.

It isn't, or shouldn't be, an issue of whether the customer wants this
kind of service.  This is protection FROM that customer.  The principle
reason to not do this is the load it causes on the router.

Should it be discovered that source forged packets are coming from a given
customer, then you could apply this to that customer if they are not going
to just be summarily cut off.

Perhaps, in time, security demands may require doing more of this.  Or they
may require more kinds of traceability of where the bad packets are coming
from (also costly).

-- 
Phil Howard KA9WGN   +-------------------------------------------------------+
Linux Consultant     |  Linux installation, configuration, administration,   |
Milepost Services    |  monitoring, maintenance, and diagnostic services.    |
phil at milepost.com +-------------------------------------------------------+