filtering spoofed addresses cheaply

William Allen Simpson wsimpson at
Sun Apr 26 05:49:03 UTC 1998

There has been a fair amount of discussion about where and how to filter
spoofed IP Source addresses.  I don't understand why this is considered
so hard.  Let me tell you about what Merit did nearly 15 years ago....

Every NAS (they were called SCPs in those days) knows the address
assigned to each link.   So, Merit code just replaced the incoming IP
Source field with the known address, before calculating the IP Header
checksum.  Spoofed addresses -> packets discarded with bad checksum.
Simple.  Elegant.  No additional CPU.

We merely want the same thing to happen BY DEFAULT on every dial-up
link.  Listening Lucent/Livingston?  Ascend?  Et alia?

Now, the ethernet spoof detection is a little harder, but since each
interface is already configured with an address and subnet prefix length
(or mask), every interface should simply discard all incoming packets
with an IP Source prefix that does not match.  The knob for accepting
other extra subnets should default to "off", just as the knob for
accepting RIP broadcasts defaults to "off", and the knob for BGP peers
defaults to "off".  KISS.  You don't accept unexpected routing
advertisements from your downstreams, do you!?!?

The whole argument about asymmetric routing does not apply.  You would
not filter at those multi-homed routers in any case, and you already
have to configure something special (routing policy).

WSimpson at
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

More information about the NANOG mailing list