|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NSPs and filters (fwd)
> Date: Mon, 14 Jul 1997 12:29:32 -0400 > From: Daniel Senie <[email protected]> > > And it goes beyond that... Every PC running Windows (or any other OS, > for that matter) has complete ability to do anything with IP. So, any > user on a dialup line into any ISP is a possible source of attacks. > > This is why I think the RAS servers need to be able to filter right at > the point of the dialup. There, the comparison is a simple compare of a > 32 bit integer (IP address assigned to the dialup user, compared to the > IP address of packets received from the user). Any discrepancies should > set off alarm bells... Some ISPs, including the very large one for which I wrote the PPP code, already do this. Source address assurance is the mirror image of destination-based routing. That's not to say that routing is always symmetrical, but the problem is no harder, and can be made no slower. Barney Wolff <[email protected]>
|