Egress filtering at border points is appropriate for leaf networks.
Many ISPs, though, also ferry third-party traffic between their
peering points; it would be inappropriate for them to accept traffic
that an egress rule elsewhere will prevent them from delivering.
This isn't to day that it can't or shouldn't be done, only that
determining how much filtering should be done, and at which routers,
may be less simple for multi-homed ISPs than it sounds.
David Gillett
On 9 Jun 2001, at 21:16, Paul D. Robertson wrote:
> On Sat, 9 Jun 2001, Bill Royds wrote:
>
> > Note: RFC 2267 has been superseded by RFC 2827
>
> Thanks, I had indeed missed that.
>
> >
> > You are correct, RFC2827 is not a standard but it is a Best Current
> > Practice (BCP0038) which could be used as a precedent in a lawsuit if
> > it came to that. RFC2827 is about ingress filtering for backbones
> > rather than egress filtering for ISP's but the rules are similar. It
> > is just which side of the peering point you are looking at. Egress
> > filtering would require a lot less horsepower then ingress filtering
> > because the border router already has routing tables for what IP
> > blocks it accepts traffic. Using this on source address of outgoing
> > traffic adds not much more memory overhead (although it does add more
> > CPU cost). This is just applying routing rules to outgoing traffic as
> > well as incoming traffic rather than doing any censoring.
> > The golden rule of egress filtering: Only allow packets out of your
> > network with source IP address that you would allow in.
> >
>
> So, since we seem to be in basic agreement here- is there anyone who can
> come up with a significant impediment to mandatory egress filtering rules
> other than getting buy-in (ISO layer 8 issues)?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
