|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical filtering spoofed addresses cheaply
There has been a fair amount of discussion about where and how to filter spoofed IP Source addresses. I don't understand why this is considered so hard. Let me tell you about what Merit did nearly 15 years ago.... Every NAS (they were called SCPs in those days) knows the address assigned to each link. So, Merit code just replaced the incoming IP Source field with the known address, before calculating the IP Header checksum. Spoofed addresses -> packets discarded with bad checksum. Simple. Elegant. No additional CPU. We merely want the same thing to happen BY DEFAULT on every dial-up link. Listening Lucent/Livingston? Ascend? Et alia? Now, the ethernet spoof detection is a little harder, but since each interface is already configured with an address and subnet prefix length (or mask), every interface should simply discard all incoming packets with an IP Source prefix that does not match. The knob for accepting other extra subnets should default to "off", just as the knob for accepting RIP broadcasts defaults to "off", and the knob for BGP peers defaults to "off". KISS. You don't accept unexpected routing advertisements from your downstreams, do you!?!? The whole argument about asymmetric routing does not apply. You would not filter at those multi-homed routers in any case, and you already have to configure something special (routing policy). [email protected] Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
|