Home page logo

nanog logo nanog mailing list archives

RE: On the back of other 'security' posts....
From: "Terry Baranski" <tbaranski () mail com>
Date: Sun, 31 Aug 2003 13:49:15 -0400

On Sunday, August 31, 2003 8:26 AM Stephen J. Wilcox wrote:

On Sat, 30 Aug 2003, Terry Baranski wrote:

In what instances is blocking spoofed traffic at the edge not 
feasible? ("Spoofed" as in not sourced from one of the customer's 

Where the customer is not a basic end user.. an ISP for 
example who may be 
transiting traffic from netblocks that are not theirs.

I've been using the term "edge" to refer to a standard customer; i.e.,
not an ISP.  I tend to think of ISP <-> ISP links as borders, but I
guess the term only applies to peers.  But in any case, if all ISPs put
anti-spoof filters on "standard customer" edge links as well as their
own upstream links, is there any need for such filters anywhere else?
It might be compared to deploying protocol extensions such as S(o)BGP:
the benefit gained correlates with ubiquity of the deployment.

We still have the other problem where a lot of large networks 
are using RFC1918 
addresses that do not get NAT'd thus filtering will break 
pMTU.. this is an 
issue in my experience mainly for those who host websites, 
altho many of those 
are filtering their own packets anyway and have broken sites!

Fair enough, though most seem to consider this a broken design practice.
If one of the side effects of anti-spoof filtering is that broken
networks break some more, maybe that's tolerable.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]