Re[2]: Router filtering not enough! (Was: Re: CERT advisory

[rnayfield () mail iconnet com (Nayfield, Rod)]

     One other thing to note is that many sites are set up without any 
     internal routing protocols; imagine a cisco 7000 with 5 ethernets and 
     5 class C networks attached to the ethernets (and a serial out to the 
     rest of the Internet).  If you were to somehow implement a MAC check 
     for the addresses, anything coming from the Internet or any of the 
     other 4 (local) C's will come from the router's MAC.  If you trust a 
     machine on one of the other ethernets, you will have no way of telling 
     where the packet came from.  If you implemented an access list which 
     denies the local addresses from coming in over the serial but lets 
     everything else in, you can be reasonably sure that a packet from a 
     local address is at least within your network and not from the 
     Internet.