Re: NSPs and filters

[Jon Lewis <jlewis () inorganic5 fdt net>]

On Sat, 12 Jul 1997, Daniel Senie wrote:

> Another thing I'd like folks to consider. Many of you manage the routers
> at customer sites. I would guess that in most cases, folks forging IP
> addresses are NOT the folks who have access to routers at a site. If
> you, as an ISP, manage the router at the customer end of a circuit, ADD
> FILTERS THERE! Make sure that packets transmitted from the customer's
> router to your network are VALID addresses. The

FDT has an office with a Sprint/Centel T1 in which Sprint supplies and
maintains the router at our end...an intollerable situation, but that's
another story.

The topic of access-list filters has come up many times, and Sprint
refused to add any filters to the 2501 at our end, and would not give FDT
access to it in any way.  I noticed they were doing no filtering
whatsoever, and promptly gave them some real life examples of why egress
filtering is a good thing by forging packets into their NOC.  They proved
their cluelessness by adding tcp and udp egress filters, rather than just
ip.  Last time I tried, I could still forge icmp from tlh.

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
________Finger jlewis () inorganic5 fdt net for PGP public key_______