SYN spoofing
Jared Mauch
jared at puck.Nether.net
Wed Jul 28 16:07:03 UTC 1999
On Wed, Jul 28, 1999 at 11:54:03AM -0400, bryan s. blank wrote:
>
> % ip verify unicast reverse-path
> %
> % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> % the use of extended access lists on Cisco routers is very low overhead,
> % especially on routers using distributed express forwarding.
>
> while i hate to question mr. ferguson, it's my understanding
> that many isps have found this feature to be unusable due to
> network design.
You can't use this in the core, but you can use it on cpe facing
interfaces.
eg: the interface that faces your dial lan, or colocate lan,
etc.. and on single ckt connections.
You get into some cases where you have a customer that is doing
more complicated things than just pointing default at you...
(ie: they're multihomed, or have various netblocks, and
do not announce them all to you or do policy routing inside their network).
What problems are you seeing, as I've not had problems with
this deployed in my network. I know that there have been ECM bugs
in the past (equal cost multipath), and it not doing the rpf check
correctly, but those problems should not affect most of the customers
in the world.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
| "Waste Management Consultant" VOYN
More information about the NANOG
mailing list