Re: ICMP Attacks???????

["Jay R. Ashworth" <jra () scfn thpl lib fl us>]

On Thu, Aug 21, 1997 at 03:26:50PM -0500, Jon Green wrote:
> On Thu, 21 Aug 1997 13:18:34 -0700, fair () clock org writes:
> > There is another mitigation: everyone here should commit to filtering
> > customer packets at the customer premesis router (or at the dial in for
> > PPP/SLIP) such that it is not possible for a customer to send a packet into
> > the network that has an IP source address on it that is not assigned to
> > that customer. That is, no more lying about source addresses.
>
> Every time I show a customer of mine how to configure a router, I 
> try to educate them on this.  We need some kind of massive marketing
> effort to get this out to people though.  People would do it, but nobody
> knows about it.

Ok, here's a question:

A router knows the network number and mask of each network to which it
has an interface.  Does it not make sense that the default thing for
that router to do would be to trash incoming packets which carry a
source address not on the network associated with that interface. 

Certainly, you'd have to tell the router to accept all comers (except
locallly addressed packets) on the WAN interface, but you need to tell
it which interface is the default route _anyway_, so that's trivial.

And for people with multiple, routed networks behind a router, well,
they could probably be assumed to be bright enough to enable additional
net/masks for a given interface _anyway_, so that's not really a
problem either.

Someone tell me, from either a technical or marketing standpoint, why
this idea is infeasible, no?

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592