FW: Re: Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote:
> While it's nice that router vendors implemented unicast RPF to make 
> configuration in some cases easier, using simple ACLs isn't necessarily 
> hard at the edges either.

It might be nice if all router vendors were able to associate the
interface configured address(es)/nets as a variable for ingress
filters.  So for in the Cisco world, a simple example would be:

  interface Serial0
    ip address 192.0.2.1 255.255.255.128
    ip access-group 100 in
  !
  interface Serial1
    ip address 192.0.2.129 255.255.255.128
    ip access-group 100 in
  !
  access-list 100 permit ip $interface-routes any
  access-list 100 deny ip any any

Those sorts of features could make the scaling issue much easier
for large providers and environments where routers may have lots
of interfaces.  An operator could also essentially build tools to
automatically configure/verify configurations this way, but I
think it would be better for the router vendors to do this for us.

John

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]