nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SYN spoofing

From: Daniel Senie <dts () senie com>
Date: Tue, 03 Aug 1999 12:52:07 -0400

I wonder if any of the cisco experts could comment on an idea for
removing bogons from the core...

Questions:

- do folks use cisco's policy routing capabilities on their
  routers? core routers?

- does the use of policy routing significantly affect performance
  in the core?

The thought is that using policy routing capabilities of IOS, it appears
possible to separate out traffic matching certain characteristics,
including source addresses. If packets with bogus source addresses can
be so identified, the policy routing could route these to null0.

I don't know how Cisco did their implementation of this feature. It's
certainly possible to construct hardware which does source IP address
matching in hardware looking for bogons, by the same methods used to do
destination address matching (a.k.a. routing table lookups).

-- 
-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.            http://www.amaranthnetworks.com
Previous By Date Next
Previous By Thread Next

Current thread: