North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NSPs and filters
On Sat, 12 Jul 1997, Daniel Senie wrote: > Another thing I'd like folks to consider. Many of you manage the routers > at customer sites. I would guess that in most cases, folks forging IP > addresses are NOT the folks who have access to routers at a site. If > you, as an ISP, manage the router at the customer end of a circuit, ADD > FILTERS THERE! Make sure that packets transmitted from the customer's > router to your network are VALID addresses. The FDT has an office with a Sprint/Centel T1 in which Sprint supplies and maintains the router at our end...an intollerable situation, but that's another story. The topic of access-list filters has come up many times, and Sprint refused to add any filters to the 2501 at our end, and would not give FDT access to it in any way. I noticed they were doing no filtering whatsoever, and promptly gave them some real life examples of why egress filtering is a good thing by forging packets into their NOC. They proved their cluelessness by adding tcp and udp egress filters, rather than just ip. Last time I tried, I could still forge icmp from tlh. ------------------------------------------------------------------ Jon Lewis <[email protected]> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ________Finger [email protected] for PGP public key_______
|