mailing list archives
RE: On the back of other 'security' posts....
From: "Terry Baranski" <tbaranski () mail com>
Date: Sun, 31 Aug 2003 13:49:15 -0400
On Sunday, August 31, 2003 8:26 AM Stephen J. Wilcox wrote:
On Sat, 30 Aug 2003, Terry Baranski wrote:
In what instances is blocking spoofed traffic at the edge not
feasible? ("Spoofed" as in not sourced from one of the customer's
Where the customer is not a basic end user.. an ISP for
example who may be
transiting traffic from netblocks that are not theirs.
I've been using the term "edge" to refer to a standard customer; i.e.,
not an ISP. I tend to think of ISP <-> ISP links as borders, but I
guess the term only applies to peers. But in any case, if all ISPs put
anti-spoof filters on "standard customer" edge links as well as their
own upstream links, is there any need for such filters anywhere else?
It might be compared to deploying protocol extensions such as S(o)BGP:
the benefit gained correlates with ubiquity of the deployment.
We still have the other problem where a lot of large networks
are using RFC1918
addresses that do not get NAT'd thus filtering will break
pMTU.. this is an
issue in my experience mainly for those who host websites,
altho many of those
are filtering their own packets anyway and have broken sites!
Fair enough, though most seem to consider this a broken design practice.
If one of the side effects of anti-spoof filtering is that broken
networks break some more, maybe that's tolerable.
Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 31)
Re: On the back of other 'security' posts.... Paul Vixie (Aug 30)
RE: On the back of other 'security' posts.... Greenhalgh, John (Aug 31)