source filtering

Jared Mauch jared at
Tue Jan 12 18:06:47 UTC 1999

On Tue, Jan 12, 1999 at 05:51:36PM +0000, Alex Bligh wrote:
> > 	2) Using the "ip verifiy unicast reverse-path" Cisco feature
> > (it's in 11.1CC images when you use CEF, so I don't get a flood
> > of e-mails)
> I'm sure far more people would source filter if Cisco put this
> in CPE routers.

	This does not mean you can't filter on your fastether,
ether, fddi, etc.. that goes to customer aggregation boxes, or on
the T1 where that connectivity hits your core backbone node, (I
understand there are cases where this would not work, for some
larger customers perhaps), but for most cases, this would be possible.

	If i have network topology that provides the following

	| core rtr |--- N x backbone link(s)
             \ +------------+
              -| access lan |

	Where access lan  is any number of customer aggregation
boxes, such as 36xx w/ t1 intfs, (dial) access boxes, etc, you
can source filter that lan at that point instead of the edge.

	If you manage lans similar to this, you shouldn't allow
your dial customers to spoof and start these attacks.

	- Jared

Jared Mauch  | pgp key available via finger from jared at
clue++;      |  My statements are only mine.

More information about the NANOG mailing list