Re: Automatic antispoofing rules on access servers.

[Lincoln Yeoh <lyeoh () POP JARING MY>]

The difference is, with this feature, you should not have to do as much
reconfiguration if your netblocks change. That's what I'm talking about -
lowering the administration costs for installing such rules at the access
points.

Check out the url. You'll see that you don't have to write the rules by
hand. Use the same statements for every router.

By putting the rules at the access servers, ISP can stop customers from
spoofing others within their networks.

Btw I'm not trying to promote Cisco here. In fact I was actually about to
post asking if any router manufacturer had done such a thing - uniform
config parameter(s) to do antispoofing on tons of different routers and
interfaces.  And then I found something like it on Cisco's site, and now
I'm wondering if ISPs actually know about it and are using it.

I was thinking "why hasn't anybody done this", and then "Oh they have!" :).

Cheerio,

Link.


At 10:41 AM 19-09-2000 -0700, Ryan Permeh wrote:
> although this is a neat idea, placing antispoofing rules on your border
> acheives thew same level of protection at a much lower administrative cost.
> i used to work at an isp, and puting together possibly thousands
> antispoofing rules by hand in an understaffed, undertechnical environment is
> a hard thing to do.  Especcially in the isp aquisition climate where your
> netblocks may not be the same for a while.  If we got people to shut off
> broadcasts(at least icmp, if not all) and spoofing at the borders it would
> help a whole lot.
>
> PS: this doesn't just apply to isp's.  there are schools and buisnesses that
> are just as guilty (and sometimes have just as big networks).
> Signed,
> Ryan
> eEye Digital Security Team
> http://www.eEye.com
> ----- Original Message -----
> From: "Lincoln Yeoh" <lyeoh () POP JARING MY>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Monday, September 18, 2000 7:50 PM
> Subject: Automatic antispoofing rules on access servers.
>
>
> > I believe antispoofing filters won't really use up much CPU. So probably
> > one of the main reasons ISPs don't use them at their access servers is the
> > administrative cost in maintaining the rules.
> >
> > However I recently noticed that Cisco has a feature which seems to make
> > this simpler to do.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121
> > t/121t2/rpf_plus.htm
> >
> > Do other major router/access server manufacturers have similar features?
> >
> > If such features were more widely used, smurfing and spoofing stuff would
> > be a lot more difficult than it is now.
> >
> > Are there any problems which would discourage use by ISPs?
> >
> > Cheerio,
> > Link.