NSPs and filters (fwd)

• Previous message (by thread): NSPs and filters (fwd)
• Next message (by thread): Intrusion Detection Systems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Date: Mon, 14 Jul 1997 12:29:32 -0400
> From: Daniel Senie <dts at proteon.com>
> 
> And it goes beyond that... Every PC running Windows (or any other OS,
> for that matter) has complete ability to do anything with IP. So, any
> user on a dialup line into any ISP is a possible source of attacks.
> 
> This is why I think the RAS servers need to be able to filter right at
> the point of the dialup. There, the comparison is a simple compare of a
> 32 bit integer (IP address assigned to the dialup user, compared to the
> IP address of packets received from the user). Any discrepancies should
> set off alarm bells...

Some ISPs, including the very large one for which I wrote the PPP code,
already do this.

Source address assurance is the mirror image of destination-based routing.
That's not to say that routing is always symmetrical, but the problem
is no harder, and can be made no slower.

Barney Wolff  <barney at databus.com>

• Previous message (by thread): NSPs and filters (fwd)
• Next message (by thread): Intrusion Detection Systems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]