Packets from net 10 (no, not the lyrics)

John A. Tamplin jat at traveller.com
Tue Sep 23 21:59:58 UTC 1997


On Tue, 23 Sep 1997, Todd R. Stroup wrote:

> > Maybe I am missing something, but we use an inbound access list on all
> > external links that eliminates IP address spoofing, as well as some basic
> > security issues (blocking NFS, r* commands, etc just in case some machine
> > inside is misconfigured).  If you have an inbound access list that filters
> > based on the source address already, why would you not add the private 
> > addresses to that?
> 
> This is sort of a different issue.. you are filtering IP not routes. If
> you peer with someone that is sending you 10/8 even though you have it
> filtered on the inbound of your interface (which is good for CPU) you will
> still have a route injected into your route tables which could be 
> bad.  Why not destroy the bad routes before they get to your routing 
> table? 

I guess I was referring to those comments in this thread suggesting that
instead of using inbound access filters, which cause CPU performance issues,
instead routes should be generated to null0 (which from my understanding it
is still process switched).  Perhaps my choice of message to quote was poor,
but my point is that it seems like you need an ACL on every incoming link
regardless, and you need a filter list on every BGP peer regardless, so why
not put checks in both?  I wouldn't think that, given that you need an access
list, adding a few more entries is going to significantly impact performance.

John Tamplin					Traveller Information Services
jat at Traveller.COM				2104 West Ferry Way
205/883-4233x7007				Huntsville, AL 35801




More information about the NANOG mailing list