Dag-Erling Smørgrav wrote: > der Mouse <[EMAIL PROTECTED]> writes: >> Not so much that it's nonsensical as forged: the other host is emitting >> packets with from-addresses that aren't its own. If I've been >> allocated, say, 100.200.30.40/29, I should not be emitting packets with >> ip_src values not in that /29, and (my understanding of) best practice >> is that my upstream should enforce this. > > Correct, but I've never heard of an ISP that actually implements egress > filtering.
You might be surprised. Not only did a bit over 75% of the tested IPs here: http://spoofer.csail.mit.edu/summary.php ...prove to be unspoofable, the data they have suggest that most of that filtering is actually done at the first hop (ie, is "egress filtering" of some sort like verrevpath/uRPF rather than an upstream ISP doing ingress filtering ala RFC 2827). By all means, however, feel free to contribute more test points to their data if you've got a lot of local ISPs which don't filter spoofed traffic. :-) -- -Chuck PS: I wonder if the NTP pool project could use the same stuff there (ie, "CAIDA's plot-latlong package to generate geographical maps") to generate nifty dot-plots of NTP strat-1, -2 and pool servers? _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
