nanog mailing list archives
Re: Land and Cisco question
From: Sean Donelan <SEAN () SDG DRA COM>
Date: Mon, 24 Nov 1997 3:34:34 -0600
I'm sorry - but the Right Thing (tm) to do is to ingress filter, as I have already evangelized. Like it or not.
Paul is correct. Various vendors will update their systems to handle this packet of death, but someone will discover another packet of death. Anti-spoofing filters don't prevent them, but they do act as fire stops to slow their spread. Topology may prevent you from creating perfect screens, but even with the 80/20 rule, anti-spoofing would impede many DOS attacks; or speed up the tracking of the source. Just because there are good reasons for not doing it in the 20%, you should still try to do it for the 80% it would help. Single-homed networks, even broad networks like MCI's backbone, rarely have legitimate packets with their source address originated by hosts not directly on those networks and routed through parts unknown. As an added bonus, anti-spoofing filters also block several cases of people pointing default at your network. Think about it. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation
Current thread:
- Re: why not peer with LS disabling networks ?, (continued)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 23)
- Re: why not peer with LS disabling networks ? Randy Bush (Nov 23)
- Re: why not peer with LS disabling networks ? Paul Ferguson (Nov 24)
- Re: why not peer with LS disabling networks ? Network Operations Center (Nov 24)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 24)
- Re: why not peer with LS disabling networks ? Neil J. McRae (Nov 25)
- Re: Land and Cisco question Dean Anderson (Nov 24)
- Re: Land and Cisco question Greg A. Woods (Nov 24)
- Re: Land and Cisco question Joe Shaw (Nov 24)