Home page logo

nanog logo nanog mailing list archives

Re: NSPs and filters
From: Jon Lewis <jlewis () inorganic5 fdt net>
Date: Sun, 13 Jul 1997 01:30:46 -0400 (EDT)

On Sat, 12 Jul 1997, Daniel Senie wrote:

Another thing I'd like folks to consider. Many of you manage the routers
at customer sites. I would guess that in most cases, folks forging IP
addresses are NOT the folks who have access to routers at a site. If
you, as an ISP, manage the router at the customer end of a circuit, ADD
FILTERS THERE! Make sure that packets transmitted from the customer's
router to your network are VALID addresses. The

FDT has an office with a Sprint/Centel T1 in which Sprint supplies and
maintains the router at our end...an intollerable situation, but that's
another story.

The topic of access-list filters has come up many times, and Sprint
refused to add any filters to the 2501 at our end, and would not give FDT
access to it in any way.  I noticed they were doing no filtering
whatsoever, and promptly gave them some real life examples of why egress
filtering is a good thing by forging packets into their NOC.  They proved
their cluelessness by adding tcp and udp egress filters, rather than just
ip.  Last time I tried, I could still forge icmp from tlh.

 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
________Finger jlewis () inorganic5 fdt net for PGP public key_______

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]