Packets from net 10 (no, not the lyrics)

John A. Tamplin jat at
Tue Sep 23 18:43:21 UTC 1997

On Tue, 23 Sep 1997, Todd R. Stroup wrote:

> You want to filter on an interface for this?  If you get the route into
> your routing table thats where the problem starts.  Attaching the filter
> to the peer session will at least get rid of the bad routes from the
> start.  I would rather use CPU on keeping the BGP sessions clean than
> wasting it on checking the interface for packets with 10/8.  If anyone
> has any better suggestions, I would love to hear them. 

Maybe I am missing something, but we use an inbound access list on all
external links that eliminates IP address spoofing, as well as some basic
security issues (blocking NFS, r* commands, etc just in case some machine
inside is misconfigured).  If you have an inbound access list that filters
based on the source address already, why would you not add the private 
addresses to that?

John Tamplin					Traveller Information Services
jat at Traveller.COM				2104 West Ferry Way
205/883-4233x7007				Huntsville, AL 35801

More information about the NANOG mailing list