Home page logo

nanog logo nanog mailing list archives

filtering spoofed addresses cheaply
From: "William Allen Simpson" <wsimpson () greendragon com>
Date: Sun, 26 Apr 98 05:49:03 GMT

There has been a fair amount of discussion about where and how to filter
spoofed IP Source addresses.  I don't understand why this is considered
so hard.  Let me tell you about what Merit did nearly 15 years ago....

Every NAS (they were called SCPs in those days) knows the address
assigned to each link.   So, Merit code just replaced the incoming IP
Source field with the known address, before calculating the IP Header
checksum.  Spoofed addresses -> packets discarded with bad checksum.
Simple.  Elegant.  No additional CPU.

We merely want the same thing to happen BY DEFAULT on every dial-up
link.  Listening Lucent/Livingston?  Ascend?  Et alia?

Now, the ethernet spoof detection is a little harder, but since each
interface is already configured with an address and subnet prefix length
(or mask), every interface should simply discard all incoming packets
with an IP Source prefix that does not match.  The knob for accepting
other extra subnets should default to "off", just as the knob for
accepting RIP broadcasts defaults to "off", and the knob for BGP peers
defaults to "off".  KISS.  You don't accept unexpected routing
advertisements from your downstreams, do you!?!?

The whole argument about asymmetric routing does not apply.  You would
not filter at those multi-homed routers in any case, and you already
have to configure something special (routing policy).

WSimpson () UMich edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]