North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: address spoofing
> > > Furthermore, whether the RFC [1918] says so or not, I'm going to block > > > these packets at *my* border routers, because: > > > > Curious as to the cost (added latency) in doing RFC 1918 source address > > filtering on all packets in the context of cost-benfit analysis. > > The cost is dependent on the quality of the filtering implementation of > your routers. It's quite possible to implement source address filtering > as a part of ASIC-assisted routing, resulting in wire-speed filtering. > Whether any given vendor has or has not implemented their equipment to > allow wire speed filtering is something you might want to ask salesmen. > > As it's something which network providers should be doing, its a > capability that should be demanded of the hardware vendors. > > -- > ----------------------------------------------------------------- > Daniel Senie [email protected] > Amaranth Networks Inc. http://www.amaranthnetworks.com Well, that will eventually get somebody into trouble. Long ago & far away, Dave Mills greated a list of "forbidden" network prefixes in the fuzzball routers. The Martian list consisted of the "zero & all-ones" /24 networks at the edges of the old classfull boundaries. Many router vendors hardcoded those as well. Ate my lunch a few years ago w/ ciscos. It seems to be fixed (again) in the latest 12.0 codebase. Tossing six /24s is one thing. Tossing twohundred seventy /16s is something else again... --bill
|