nanog mailing list archives

Re: Blocking spoofing at the source (was: ICMP Attacks??)

From: Josh Beck <jbeck () connectnet com>
Date: Fri, 22 Aug 1997 14:59:40 -0700 (PDT)

Given the predominance of Ascend in the marketplace, and their general
configuration style, it would be cool to see an option
"AllowIpSpoofing=Yes/No" or the like. The boxes already carry routes
associated with each interface. If a packet arrives that doesn't have a
route to get it back to the interface it came from, it would be dropped.
Sure, this may not always be what you want, but in 99% of the cases it
would be. Implementation via Radius would permit this to be removed from
people you wish to allow to spoof. :)

 
This won't work on anything with multiple diverse paths. And I don't know
many companies with their own WANs that don't have such.

So, yes, the idea is nice but the logic would have to be much more
comprehensive than that. And I honestly don't know how you could safely do
it, that won't break half the routing topologies out there.

(if you assume multipath OSPF for the IGP... maybe. But that's one hell of
an assumption.)

-- 
Joe Rhett                                                 Systems Engineer
JRhett () ISite Net                                          ISite Services

PGP keys and contact information:     http://www.navigist.com/Staff/JRhett


        True, but there are a lot of small ISPs whom something like this
could help. Granted, perhaps you should know enough of filters and routes
to run an ISP, but there are those who don't, and their numbers will only
increase as the involved equipment and technologies become more accessible
to more people, and more PC shops and small businesses decide to become
their own ISPs.

Josh Beck                                         jbeck () connectnet com
----------------------------------------------------------------------
CONNECTNet INS, Inc.      Phone: (619)450-0254      Fax: (619)450-3216
6370 Lusk Blvd., Suite F-208                       San Diego, CA 92121
----------------------------------------------------------------------

Current thread:

Re: ICMP Attacks???????, (continued)
- - - Message not available
    - Re: ICMP Attacks??????? Jay R. Ashworth (Aug 21)
    - Message not available
    - Re: ICMP Attacks??????? Jay R. Ashworth (Aug 21)
    - Re: ICMP Attacks??????? Jon Green (Aug 21)
    - Re: ICMP Attacks??????? Greg A. Woods (Aug 21)
    - Re: ICMP Attacks??????? Jon Green (Aug 22)
    - Re: ICMP Attacks??????? Greg A. Woods (Aug 22)
    - Re: ICMP Attacks??????? Joe Rhett (Aug 22)
    - Message not available
    - Re: ICMP Attacks??????? Jay R. Ashworth (Aug 22)
    - Re: ICMP Attacks??????? Josh Beck (Aug 21)
    - Blocking spoofing at the source (was: ICMP Attacks??) Joe Rhett (Aug 22)
    - Re: Blocking spoofing at the source (was: ICMP Attacks??) Josh Beck (Aug 22)
    - Message not available
    - Re: Blocking spoofing at the source (was: ICMP Attacks??) Jay R. Ashworth (Aug 22)
    - Re: Blocking spoofing at the source (was: ICMP Attacks??) Robert Sanders (Aug 29)
    - Re: Blocking spoofing at the source (was: ICMP Attacks??) Phil Howard (Aug 22)
    - Re: Blocking spoofing at the source (was: ICMP Attacks??) Robert Sanders (Aug 29)
    - Re: ICMP Attacks??????? Peter E. Giza (Aug 21)
    - Re: ICMP Attacks??????? Jon Lewis (Aug 21)
    - Re: ICMP Attacks??????? Alex "Mr. Worf" Yuriev (Aug 21)
    - Re: ICMP Attacks??????? Jon Lewis (Aug 21)
    - Re: ICMP Attacks??????? Edward Henigin (Aug 21)
    - Re: ICMP Attacks??????? Alex Przekupowski (Aug 22)

(Thread continues...)