nanog mailing list archives
Re: icmp rpf
From: Roland Dobbins <rdobbins () cisco com>
Date: Sun, 24 Sep 2006 17:30:03 -0700
On Sep 24, 2006, at 4:33 PM, Mark Kent wrote:
Remember, we're not talking about RFC1918 space, where there is a BCP that says we should filter it at the edge. We're talking about public IP space, that just doesn't happen to be announced outside of a particular AS.
If the intent is to prevent folks from reaching out and touching random network infrastructure devices directly whilst still allowing traceroute to work, iACLs and/or using IS-IS as one's IGP and null- routing the infrastructure blocks at one's various edges achieves the same effect with less potential for breakage:
http://www.nanog.org/mtg-0405/mcdowell.htmlNote that a good infrastructure addressing plan is a prerequisite for both of these methods.
----------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice Any information security mechanism, process, or procedure which can be consistently defeated by the successful application of a single class of attacks must be considered fatally flawed. -- The Lucy Van Pelt Principle of Secure Systems Design
Current thread:
- icmp rpf Mark Kent (Sep 24)
- Re: icmp rpf Mark Smith (Sep 24)
- Re: icmp rpf Michael . Dillon (Sep 25)
- Re: icmp rpf virendra rode // (Sep 24)
- Re: icmp rpf Mark Kent (Sep 24)
- Re: icmp rpf Roland Dobbins (Sep 24)
- Re: icmp rpf virendra rode // (Sep 24)
- Re: icmp rpf Mark Smith (Sep 25)
- Re: icmp rpf Mark Kent (Sep 25)
- Re: icmp rpf Chris Adams (Sep 25)
- Re: icmp rpf william(at)elan.net (Sep 25)
- Re: icmp rpf Tony Rall (Sep 26)
- Re: icmp rpf Jared Mauch (Sep 26)
- Re: icmp rpf Mark Kent (Sep 24)
- Re: icmp rpf Bill Stewart (Sep 27)
- Re: icmp rpf Mark Smith (Sep 24)