Re: Automatic antispoofing rules on access servers.

[Ryan Permeh <Ryan () EEYE COM>]

this is an interesting addition to cisco's ios.  i commend them for adding
this.  Two questions, what level of ios does this feature require, and has
anyone done any testing against any implementation of this to make certain
it does what it says?
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "Lincoln Yeoh" <lyeoh () pop jaring my>
To: "Ryan Permeh" <Ryan () EEYE COM>; <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, September 19, 2000 11:48 PM
Subject: Re: Automatic antispoofing rules on access servers.


> The difference is, with this feature, you should not have to do as much
> reconfiguration if your netblocks change. That's what I'm talking about -
> lowering the administration costs for installing such rules at the access
> points.
>
> Check out the url. You'll see that you don't have to write the rules by
> hand. Use the same statements for every router.
>
> By putting the rules at the access servers, ISP can stop customers from
> spoofing others within their networks.
>
> Btw I'm not trying to promote Cisco here. In fact I was actually about to
> post asking if any router manufacturer had done such a thing - uniform
> config parameter(s) to do antispoofing on tons of different routers and
> interfaces.  And then I found something like it on Cisco's site, and now
> I'm wondering if ISPs actually know about it and are using it.
>
> I was thinking "why hasn't anybody done this", and then "Oh they have!"
:).
> Cheerio,
>
> Link.
>
>
> At 10:41 AM 19-09-2000 -0700, Ryan Permeh wrote:
> > although this is a neat idea, placing antispoofing rules on your border
> > acheives thew same level of protection at a much lower administrative
cost.
> > i used to work at an isp, and puting together possibly thousands
> > antispoofing rules by hand in an understaffed, undertechnical environment
is
> > a hard thing to do.  Especcially in the isp aquisition climate where your
> > netblocks may not be the same for a while.  If we got people to shut off
> > broadcasts(at least icmp, if not all) and spoofing at the borders it
would
> > help a whole lot.
> >
> > PS: this doesn't just apply to isp's.  there are schools and buisnesses
that
> > are just as guilty (and sometimes have just as big networks).
> > Signed,
> > Ryan
> > eEye Digital Security Team
> > http://www.eEye.com
> > ----- Original Message -----
> > From: "Lincoln Yeoh" <lyeoh () POP JARING MY>
> > To: <VULN-DEV () SECURITYFOCUS COM>
> > Sent: Monday, September 18, 2000 7:50 PM
> > Subject: Automatic antispoofing rules on access servers.
> >
> >
> > > I believe antispoofing filters won't really use up much CPU. So
probably
> > > one of the main reasons ISPs don't use them at their access servers is
the
> > > administrative cost in maintaining the rules.
> > >
> > > However I recently noticed that Cisco has a feature which seems to make
> > > this simpler to do.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/12
1
> > > t/121t2/rpf_plus.htm
> > >
> > > Do other major router/access server manufacturers have similar
features?
> > > If such features were more widely used, smurfing and spoofing stuff
would
> > > be a lot more difficult than it is now.
> > >
> > > Are there any problems which would discourage use by ISPs?
> > >
> > > Cheerio,
> > > Link.