NSPs and filters

Jon Lewis jlewis at inorganic5.fdt.net
Sun Jul 13 05:30:46 UTC 1997


On Sat, 12 Jul 1997, Daniel Senie wrote:

> Another thing I'd like folks to consider. Many of you manage the routers
> at customer sites. I would guess that in most cases, folks forging IP
> addresses are NOT the folks who have access to routers at a site. If
> you, as an ISP, manage the router at the customer end of a circuit, ADD
> FILTERS THERE! Make sure that packets transmitted from the customer's
> router to your network are VALID addresses. The

FDT has an office with a Sprint/Centel T1 in which Sprint supplies and
maintains the router at our end...an intollerable situation, but that's
another story.

The topic of access-list filters has come up many times, and Sprint
refused to add any filters to the 2501 at our end, and would not give FDT
access to it in any way.  I noticed they were doing no filtering
whatsoever, and promptly gave them some real life examples of why egress
filtering is a good thing by forging packets into their NOC.  They proved
their cluelessness by adding tcp and udp egress filters, rather than just
ip.  Last time I tried, I could still forge icmp from tlh.

------------------------------------------------------------------
 Jon Lewis <jlewis at fdt.net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
________Finger jlewis at inorganic5.fdt.net for PGP public key_______




More information about the NANOG mailing list