On Saturday, 2001/10/13 at 18:37 EST, Ron DuFresne <[EMAIL PROTECTED]> wrote: > On Sat, 13 Oct 2001, Tony Rall wrote: > > When a Pix is used to protect servers that allow connections from the > > Internet, the above features also typically won't help you stop spoofing > > from the Internet (except maybe spoofing of your own internal addresses), > > since the Pix will have a default route on its Internet interface. > > How does this differ any from the abilities of a router in general? Do > not routers just block spoofs according to whether or not the traffic > should be coming off a particular interface or not? And are they not just > effective in that in the traffic they might have knowledge of <subnets > connected to particular interfaces>? Is this not why there are so many > issues with spoofed traffic in the first place, or am I not understanding > the whole concept of blocking spoofed packets?
Well, routers typically *don't* block packets based on the source address. In fact, routers normally don't pay any attention to source addresses. Routing usually depends entirely on destination addresses. The idea that routers (or any other box) might want to block certain source addresses on a large scale is relatively new. So the concept, first (I think) implemented by Cisco with "ip verify unicast reverse-path", that only source addresses that would be routed out an interface will be allowed to source packets coming in that interface dates back to early 2000. And it is a useful concept, but doesn't work in a number of substantial situations. It is especially problematic if you're trying to block spoofed addresses on an interface that's used for your default route. (Guess what, you then have a route for any address out that interface. It may not be your preferred route, but it's a route nonetheless.) It's a problem getting much benefit from this on a Pix because a Pix almost always has a default route on its Internet interface. Routers, on the other hand, may not use a default route at all. They may have a full BGP routing table (Pix doesn't support BGP). Blocking potentially spoofed inbound connections from the Internet doesn't really help much anyway. If an attacking machine at 192.1.1.1 doesn't want to be traceable, it can spoof its address as 193.1.1.1. No destination network is going to be able to detect that that address is spoofed, and they aren't going to block it. But blocking spoofed addresses from your own network is pretty easy (and everyone should be doing this, whether they do it with access lists or have a tool like "verify reverse-path"). If this is done and carried out down to the subnet level, machines that want to spoof would be limited to spoofing addresses on their own subnet. If this were widely done by ISPs and large network customers, spoofing would be effectively eliminated as an attack hiding method. Tony Rall _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
