nanog mailing list archives
RE: no ip forged-source-address
From: "Tony Hain" <alh-ietf () tndh net>
Date: Wed, 30 Oct 2002 09:29:10 -0800
To reiterate the comment I made during the session yesterday, the places where strict rpf will be most effective are at the very edge interfaces without explicit management (SOHO). This also tends to be the place where there is insufficient clue to turn it on. One hopes that in the nanog community there is sufficient clue to recognize the case where having it on will create a problem and turn it off. This has been a case where money has been talking, and those with enough clue to comment on it are saying they don't want it, while those that really need it are not asking. If the community believes this technique is the best tool for regaining visibility into where attacks are coming from, there are two explicit steps to making it happen. First, demand that all vendors make it the default. Second, be willing to turn it off rather than simply complain that it doesn't work in the ISP network. Tony
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of variable () ednet co uk Sent: Wednesday, October 30, 2002 8:21 AM To: nanog () nanog org Subject: Re: no ip forged-source-address On Wed, 30 Oct 2002, Daniel Senie wrote:BCP 38 is quite explicit in the need for all networks to do their part. The document is quite effective provided there's cooperation.Doesn't seem to be working.Which interface would you filter on?Customer ingress ports on the ISP side, which I suspect are the majority of ports in ISP networks. Hopefully engineers on the backbone will be clueful enough to turn it off.If we're talking about a router at the customer premesis,the filtersshould be on the link to the ISP (the customer may well have more subnets internally). At the ISP end, doing the filteringyou suggestwould not work, since it'd permit only the IP addresses of the link between the customer and user.The routing table of the router should be used to build up a list of prefixes that you should see through the interface. In this way, you could apply it to BGP customers too without having to create filters by hand. Regards, Rich
Current thread:
- Re: no ip forged-source-address, (continued)
- Re: no ip forged-source-address Hank Nussbacher (Oct 30)
- Re: no ip forged-source-address Barney Wolff (Oct 30)
- Re: no ip forged-source-address Craig A. Huegen (Oct 30)
- Re: no ip forged-source-address Jared Mauch (Oct 30)
- Re: no ip forged-source-address Petri Helenius (Oct 30)
- RE: no ip forged-source-address Tony Hain (Oct 30)
- Re: no ip forged-source-address Jim Forster (Oct 30)
- Message not available
- Re: no ip forged-source-address Daniel Senie (Oct 30)
- Re: no ip forged-source-address Hank Nussbacher (Oct 30)
- Re: no ip forged-source-address Daniel Senie (Oct 30)
- Re: no ip forged-source-address variable () ednet co uk (Oct 30)
- RE: no ip forged-source-address Tony Hain (Oct 30)
- RE: no ip forged-source-address Daniel Senie (Oct 30)
- Re: no ip forged-source-address variable () ednet co uk (Oct 30)
- Re: no ip forged-source-address Michael Lamoureux (Oct 30)
- Re: no ip forged-source-address Daniel Senie (Oct 30)
- Re: no ip forged-source-address Christopher L. Morrow (Oct 30)
- RE: no ip forged-source-address Christopher L. Morrow (Oct 30)
- Re: no ip forged-source-address Valdis . Kletnieks (Oct 30)
- Re: no ip forged-source-address Christopher L. Morrow (Oct 30)
- RE: no ip forged-source-address Charles D Hammonds (Oct 30)
- RE: no ip forged-source-address Christopher L. Morrow (Oct 30)