On 3 Jul 2001, at 9:01, David A. Bandel boldly uttered:
> "Philip J. Koenig" wrote:
> >
> [snip]
> >
> > I'm not sure what David Bandel is referring to with "reverse path
> > filtering", I assume he means something otherwise known as "egress
> > filtering", ie - you setup filters on your border routers that if
> > they see packets coming from one of your customers that is not
> > claiming to originate from an address you route, you block it. Some
> > people are not thrilled about doing that everywhere because it breaks
> > certain types of diagnostic and security tools. (and lots of
> > spoofing/hacking tools)
> >
> >
>
> exactly what I'm talking about. be it called rp_filters or egress
> filters. I've not seen it cause problems when instituted at border
> routers. I know if you're using a firewall with FreeS/WAN you can't
> filter on that system, but the next upstream certainly can.
>
> Gee, it breaks spoofing/hacking tools? (Duh). That's the whole idea!
> If you want to do some spoofing tests, you do it on your local network
> only. I don't need anyone spoofing my internal network from outside.
> Or customers sending packets from their systems with source IPs outside
> my network. This can't possibly be legitimate traffic, and I for one
> drop it. (I do rp_filtering/egress filtering and haven't had one
> complaint yet). If done at a sufficiently low level (C class or
> smaller) the spoofing problems on the Internet would disappear overnite.
I agree that in general it would be a GoodThing(tm), and many are
pushing for it, particularly due to the rise of DDoS attacks.
However getting this to be adopted worldwide is going to be about as
successful as convincing various countries to close all their open
SMTP relays, or ensure that all their IP addresses resolve to a
hostname. (North America and Western Europe are pretty good about the
above, but check out lots of Asian and Eastern European countries IP
space sometime for a contrast)
Phil
--
Philip J. Koenig [EMAIL PROTECTED]
Electric Kahuna Systems -- Computers & Communications for the New Millenium
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
