Packets from net 10 (no, not the lyrics)

• Previous message (by thread): Packets from net 10 (no, not the lyrics)
• Next message (by thread): Packets from net 10 (no, not the lyrics)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 23 Sep 1997, John A. Tamplin wrote:

> Maybe I am missing something, but we use an inbound access list on all
> external links that eliminates IP address spoofing, as well as some basic
> security issues (blocking NFS, r* commands, etc just in case some machine
> inside is misconfigured).  If you have an inbound access list that filters
> based on the source address already, why would you not add the private 
> addresses to that?
> 

This is sort of a different issue.. you are filtering IP not routes. If
you peer with someone that is sending you 10/8 even though you have it
filtered on the inbound of your interface (which is good for CPU) you will
still have a route injected into your route tables which could be 
bad.  Why not destroy the bad routes before they get to your routing 
table? 

Todd R. Stroup
Fiber Network Solutions, Inc.

> John Tamplin					Traveller Information Services
> jat at Traveller.COM				2104 West Ferry Way
> 205/883-4233x7007				Huntsville, AL 35801
> 

• Previous message (by thread): Packets from net 10 (no, not the lyrics)
• Next message (by thread): Packets from net 10 (no, not the lyrics)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]