North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 69/8...this sucks -- Centralizing filtering..

  • From: Iljitsch van Beijnum
  • Date: Tue Mar 11 14:07:02 2003

On Tue, 11 Mar 2003, Peter Galbavy wrote:

> > If all routes in the routing table are good (which soBGP and S-BGP can
> > do for you) and routers filter based on the contents of the routing
> > table, hosts will not see any bogon packets except locally generated
> > ones so they shouldn't have bogon filters of their own.

> I believe you are confusing authentication with authorisation.

I don't think I am.

> Having authentic routes does not imply that all the traffic will be
> 'correct'. Various networks will always fail to filter customer traffic at
> ingress etc. and then source address spoofing becomes trivial.

I don't see your point. Packets with bogon sources are just one class of
spoofed packets. As I've explained earlier S-BGP or soBGP with uRPF will
get rid of bogons. Neither this or bogon filters on the host will do
anything against non-bogon spoofed packets.