North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ICMP Attacks???????
> > I don't think that's a good idea. The vast majority of routers that > > I sell to customers are not used in Internet applications, and to add > > another configuration step to enable the router to do what routers > > traditionally do by default would be very confusing to the end user. > You're saying that Corporate America *relies* on being able to to > IP source address spoofing through the routers it builds its commercial > private networks with? <sigh> No, I believe he's saying that corporate america comes in two flavors. 1) that isn't terribly clueful, and don't know how their packets route (scary how often you see this .. RIP-based networks that "just work") 2) Multi-path, decentralized network administration. So any given router will not be aware of all paths in the topology, and may route packets that it doesn't know how to return. Deliberately. Trust me, you don't know how your peer routes their traffic. Neither does sales know how the engineering department does in some cases. Or the backbone group knows all, and the department routers know nothing. In any case, this logic used for this would have to be very complex. ..which would cause complex problems. I prefer simple manual editing. Actually, on the End-Of-Branch routers you could implement functions which say not to route anything coming through a given interface unless it is from that network. But this won't work on most branch router configurations. It's simply not that simple. -- Joe Rhett Systems Engineer [email protected] ISite Services PGP keys and contact information: http://www.navigist.com/Staff/JRhett