|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: On the back of other 'security' posts....
On Sunday, August 31, 2003 8:26 AM Stephen J. Wilcox wrote:
>
> > On Sat, 30 Aug 2003, Terry Baranski wrote:
> >
> > In what instances is blocking spoofed traffic at the edge not
> > feasible? ("Spoofed" as in not sourced from one of the customer's
> > netblocks.)
>
> Where the customer is not a basic end user.. an ISP for
> example who may be
> transiting traffic from netblocks that are not theirs.
I've been using the term "edge" to refer to a standard customer; i.e.,
not an ISP. I tend to think of ISP <-> ISP links as borders, but I
guess the term only applies to peers. But in any case, if all ISPs put
anti-spoof filters on "standard customer" edge links as well as their
own upstream links, is there any need for such filters anywhere else?
It might be compared to deploying protocol extensions such as S(o)BGP:
the benefit gained correlates with ubiquity of the deployment.
> We still have the other problem where a lot of large networks
> are using RFC1918
> addresses that do not get NAT'd thus filtering will break
> pMTU.. this is an
> issue in my experience mainly for those who host websites,
> altho many of those
> are filtering their own packets anyway and have broken sites!
Fair enough, though most seem to consider this a broken design practice.
If one of the side effects of anti-spoof filtering is that broken
networks break some more, maybe that's tolerable.
-Terry
|