On Thu, 28 Mar 2013, Phil Mayers wrote:
I am curious to know if people are using "second best" spoof protections of having a single big egress ACL at the points leaving their network containing all expected source addresses, or even if they're doing both.
I know of all variants. Some people will do SAVI style DHCPv4 based antispoofing at the customer access port. Some will do /26 (or whatever) based filtering on the access router where ~60 customers are aggregated (perhaps uRPF). Some will do this egress on their upstream pipe. Some do nothing at all and then hopefully their upstream will do uRPF. Sometimes this doesn't happen either.
-- Mikael Abrahamsson email: [email protected]
