Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)

• Previous message (by thread): Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
• Next message (by thread): Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	Recent versions of IOS support a cool feature:

	"ip verify unicast source reachable-via any"

	which can be installed on interfaces.  This will silently drop
(assuming you're using cef) packets sourced from prefixes that you do
not have a route for.

	ie: if you don't have 10/8 in your routing table, and someone
sends you a packet sourced from 10.0.0.3 it will get dropped.

	that will drop all your rfc1918 space (with the obvious caveat of if
you route it) at the edge or in the core easily.

	as for non-packet filters, i defer to the plethora of threads

	- jared

On Tue, Oct 09, 2001 at 07:58:19AM -0700, Grant A. Kirkwood wrote:
> 
> Not to beat an already-decaying horse, BUT...
> 
> I'm currently in the process of setting up a new border router, and the
> recent debate on the above topic got me wondering what the best practice
> filtering policy is? Is there one?
> 
> And what do people put in place in terms of anti-spoofing ACLs and such?
> There's a wealth of information on these topics, but no real consensus.
> 
> Or am I just reopening an ugly can of worms here?
> 
> TIA,
> 
> -- 
> Grant A. Kirkwood - grant at virtical.net
> Chief Technology Officer - Virtical Solutions, Inc.
> http://www.virtical.net/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

• Previous message (by thread): Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
• Next message (by thread): Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]