address spoofing

bmanning at bmanning at
Fri Apr 23 23:47:45 UTC 1999

> > > Furthermore, whether the RFC [1918] says so or not, I'm going to block
> > > these packets at *my* border routers, because:
> > 
> > Curious as to the cost (added latency) in doing RFC 1918 source address
> > filtering on all packets in the context of cost-benfit analysis.
> The cost is dependent on the quality of the filtering implementation of
> your routers. It's quite possible to implement source address filtering
> as a part of ASIC-assisted routing, resulting in wire-speed filtering.
> Whether any given vendor has or has not implemented their equipment to
> allow wire speed filtering is something you might want to ask salesmen.
> As it's something which network providers should be doing, its a
> capability that should be demanded of the hardware vendors.
> -- 
> -----------------------------------------------------------------
> Daniel Senie                                        dts at
> Amaranth Networks Inc.  

Well, that will eventually get somebody into trouble.  Long ago & far
away, Dave Mills greated a list of "forbidden" network prefixes in the
fuzzball routers.  The Martian list consisted of the "zero & all-ones"
/24 networks at the edges of the old classfull boundaries.  Many router
vendors hardcoded those as well.  Ate my lunch a few years ago w/
ciscos.  It seems to be fixed (again) in the latest 12.0 codebase.

Tossing six /24s is one thing. Tossing twohundred seventy /16s is 
something else again... 


More information about the NANOG mailing list