Home page logo

nanog logo nanog mailing list archives

Re: NSPs and filters
From: Phil Howard <phil () charon milepost com>
Date: Sat, 12 Jul 1997 10:50:23 -0500 (CDT)

Its not feasible to filter packets on customer gateway routers.  When you
impose a packet filter on a GW router customer interface, all packets  
destined to that customer have to be matched to an access-list and then
forwarded down the pipe or dropped.  This increases the load on the  
router CPU, because it is used to switching the packets.  Now you have to
analyze each packet which takes up CPU time.

This is not a nice thing to do to a router, especially while the router is
trying to keep up with 50 other customers...  And if more than 1 customer
wants this type of service, you start really feeling the load.

It isn't, or shouldn't be, an issue of whether the customer wants this
kind of service.  This is protection FROM that customer.  The principle
reason to not do this is the load it causes on the router.

Should it be discovered that source forged packets are coming from a given
customer, then you could apply this to that customer if they are not going
to just be summarily cut off.

Perhaps, in time, security demands may require doing more of this.  Or they
may require more kinds of traceability of where the bad packets are coming
from (also costly).

Phil Howard KA9WGN   +-------------------------------------------------------+
Linux Consultant     |  Linux installation, configuration, administration,   |
Milepost Services    |  monitoring, maintenance, and diagnostic services.    |
phil at milepost.com +-------------------------------------------------------+

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]