Re: Things to do to make the network better

[Tom Killalea <tomk () nwnet net>]

> I will also point out that many of the recent "smurf" attacks and
> similar problems people are having on the net would be gone if people
> would just carefully filter internal/external addresses on their
> border machines, that is, prevent packets claiming to be from "inside"
> networks from coming in from the "outside", and prevent packets
> claiming to be from "outside" networks from going out from the
> "inside". The latter will stop your network from *ever* being the
> source of a wide variety of packet forgery attacks, and is necessary
> to being a good network citizen. The former will stop your network
> from being the subject of a wide variety fo packet forgery attacks,
> and is necessary to make your customers even remotely safe on the net.

I strongly recommend such filtering in sections 5.7 and 5.8 of my 
"Security Expectations for Internet Service Providers" draft
  ftp://ds.internic.net/internet-drafts/draft-ietf-grip-isp-02.txt
and we've heard Paul plug 
  ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt
here many times.

To answer Owen comments regarding the difficulty of filtering for
transit providers, I argue that filtering should happen as close to the
actual hosts as possible.

Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk () nwnet net