Visser, Martin (Sydney) wrote: > Huhhhh? In fact most routers don't check the source, nor do they care, > which is why certain DoS attacks that spoof source IP addresses work. > IP routing today is nearly always based only on the destination address.
Hi Martin, There's a difference between what is common and what is allowed. The bottom line is that routers are allowed to verify source addresses. The IETF provides a mechanism in RFC2267 for source address checking which does not require an access list per interface. The mechanism works best at the customer edge and works poorly at the provider-provider edge. As a customer, if you provide a spoofed IP address today then it may work but be rejected by the ISP tomorrow. Thus it is not a good idea to have a customer network design which requires the upstream network to accept spoofed/incorrect addresses. > In normal IP packet forwarding, the source and destination IP address of > a packet doesn't change during router hops (MAC/physical does). ... > However, you are correct about the default behaviour when a > locally-generated packet leaves a interface in linux. > (This doesn't apply to a routed/forwarded packet) Obviously I was refering to the behaviour of the IP host, not the behaviour of IP gateways. > I would probably use iptables to do what John wishes. And my point is that John's wishes may not lead to a reliable network design. Regards, Glen -- Glen Turner Network Engineer (08) 8303 3936 Australian Academic and Research Network [EMAIL PROTECTED] http://www.aarnet.edu.au/ -- The revolution will not be televised, it will be digitised -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
