source filtering

• Previous message (by thread): source filtering
• Next message (by thread): source filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jared,

jared at puck.nether.net said:
> 	This does not mean you can't filter on your fastether, ether, fddi,
> etc.. that goes to customer aggregation boxes,

(i.e. on the core router on ingress core). Yes, but (it would seem
in practice) not if your network access LAN is multihomed and non-trivial
in topology.

Also causes problems if you use FR or ATM as access concentrators
directly into the core (oh if only you could stick this command on
a multipoint cloud and CEF worked properly).

My point was if one shipped CPE routers out, the responsible ISP
can ship them with "no ip directed broadcast" PLUS "ip verify unicast
reverse-path" on the CPE LAN interface, and ensure customers are
neither third-party reflectors nor perpetrators. Then use CEF to
rate-limit ICMP at the borders (which nearly works but not quite) and
you've mitigated the customers-as-victims problem too.

Is UDP smurf much in evidence? (send a UDP packet to the broadcast address
on the echo server port and you'll either get ICMP port unreachables
back or UDP echos). The reason I ask is that edge ICMP rate
limiting won't help UDP.



-- 
Alex Bligh
GX Networks (formerly Xara Networks)

• Previous message (by thread): source filtering
• Next message (by thread): source filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]