North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: address spoofing

  • From: bmanning
  • Date: Fri Apr 23 19:46:34 1999

> > > Furthermore, whether the RFC [1918] says so or not, I'm going to block
> > > these packets at *my* border routers, because:
> > 
> > Curious as to the cost (added latency) in doing RFC 1918 source address
> > filtering on all packets in the context of cost-benfit analysis.
> 
> The cost is dependent on the quality of the filtering implementation of
> your routers. It's quite possible to implement source address filtering
> as a part of ASIC-assisted routing, resulting in wire-speed filtering.
> Whether any given vendor has or has not implemented their equipment to
> allow wire speed filtering is something you might want to ask salesmen.
> 
> As it's something which network providers should be doing, its a
> capability that should be demanded of the hardware vendors.
> 
> -- 
> -----------------------------------------------------------------
> Daniel Senie                                        [email protected]
> Amaranth Networks Inc.            http://www.amaranthnetworks.com

Well, that will eventually get somebody into trouble.  Long ago & far
away, Dave Mills greated a list of "forbidden" network prefixes in the
fuzzball routers.  The Martian list consisted of the "zero & all-ones"
/24 networks at the edges of the old classfull boundaries.  Many router
vendors hardcoded those as well.  Ate my lunch a few years ago w/
ciscos.  It seems to be fixed (again) in the latest 12.0 codebase.

Tossing six /24s is one thing. Tossing twohundred seventy /16s is 
something else again... 

--bill