RE: Force10 Gear - Opinions

• From: James Jun
• Date: Thu Sep 04 10:25:35 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

> uRPF strict as a configuration default, on customers without possible
> asymmetry (multihoming, one-way tunneling, etc) is not a bad default.
> But when the customers increase in complexity, the time might come to
> relax things some.  It's certainly not a be-all-end-all.  And it's
> been demonstrated time after time here that anti-spoof/bogon filtering
> isn't even a factor in most large-scale attacks on the public Internet
> these days.  Think massively sized, well connected, botnets.  See also
> CP attacks (which, again, the F10 can't even help you with).

Indeed... In today's internet, protecting your own box (cp-policer/control
plane filtering) is far more important IMO than implementing BCP38 when much
of attack traffic comes from legitimate IP sources anyway (see botnets). 

james

• Follow-Ups:
  • BCP38 dismissal Jo Rhett

• References:
  • Re: Force10 Gear - Opinions Jo Rhett
  • Re: Force10 Gear - Opinions Paul Wall

• Prev by Date: Re: ingress SMTP
• Next by Date: Re: ingress SMTP
• Date Index
• Thread Index
• Author Index
• Historical