Re: DDOS Countermeasures RFC

[jan () nil si]

> You don't have to have the router try and determine if it's a leaf or
> not.. just leave it on by default, and require the network admin to know
> that they have to shut it off in order to do a router-to-router
interface.

Ryan, I thought you knew better ;)) This would be such a destructive
step, which would make troubleshooting of many situations hellish. However,
I also like investigating the thin red line between improving security
and alienating users with default settings. Hey, I still do some security
unrelated design/troubleshooting stuff :)

To add some interesting content: the PIX also has such antispoofing
code (it is even configured with the same syntax), and it is turned OFF
by default on all interfaces. That is Bad.

Cheers,
Jan

Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer
NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards