North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Packets from net 10 (no, not the lyrics)
On Tue, 23 Sep 1997, John A. Tamplin wrote: > Maybe I am missing something, but we use an inbound access list on all > external links that eliminates IP address spoofing, as well as some basic > security issues (blocking NFS, r* commands, etc just in case some machine > inside is misconfigured). If you have an inbound access list that filters > based on the source address already, why would you not add the private > addresses to that? > This is sort of a different issue.. you are filtering IP not routes. If you peer with someone that is sending you 10/8 even though you have it filtered on the inbound of your interface (which is good for CPU) you will still have a route injected into your route tables which could be bad. Why not destroy the bad routes before they get to your routing table? Todd R. Stroup Fiber Network Solutions, Inc. > John Tamplin Traveller Information Services > [email protected] 2104 West Ferry Way > 205/883-4233x7007 Huntsville, AL 35801 >
|