On Thu, 31 Mar 2005, Pekka Savola wrote: > On Thu, 31 Mar 2005, Stephen J. Wilcox wrote: > > without wishing to repeat what can be googled for.. putting acls on your > > edge to > > protect your ebgp sessions wont work for obvious reasons -- to spoof data > > and > > disrupt a session you have to spoof the srcip which of course the acl will > > allow > > in > > This is why this helps for eBGP sessions only the peer is also protecting its > borders. I.e., if you know the peer's network has spoofing-prevention enabled, > nobody is able to spoof the srcip the peer uses.
trusting a third party to protect your network is imho not best practice, in addition many networks may have considerable customers inside them making attacking from inside trivial Steve
