address spoofing
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Apr 23 23:47:45 UTC 1999
> > > Furthermore, whether the RFC [1918] says so or not, I'm going to block
> > > these packets at *my* border routers, because:
> >
> > Curious as to the cost (added latency) in doing RFC 1918 source address
> > filtering on all packets in the context of cost-benfit analysis.
>
> The cost is dependent on the quality of the filtering implementation of
> your routers. It's quite possible to implement source address filtering
> as a part of ASIC-assisted routing, resulting in wire-speed filtering.
> Whether any given vendor has or has not implemented their equipment to
> allow wire speed filtering is something you might want to ask salesmen.
>
> As it's something which network providers should be doing, its a
> capability that should be demanded of the hardware vendors.
>
> --
> -----------------------------------------------------------------
> Daniel Senie dts at senie.com
> Amaranth Networks Inc. http://www.amaranthnetworks.com
Well, that will eventually get somebody into trouble. Long ago & far
away, Dave Mills greated a list of "forbidden" network prefixes in the
fuzzball routers. The Martian list consisted of the "zero & all-ones"
/24 networks at the edges of the old classfull boundaries. Many router
vendors hardcoded those as well. Ate my lunch a few years ago w/
ciscos. It seems to be fixed (again) in the latest 12.0 codebase.
Tossing six /24s is one thing. Tossing twohundred seventy /16s is
something else again...
--bill
More information about the NANOG
mailing list