69/8...this sucks -- Centralizing filtering..
Iljitsch van Beijnum
iljitsch at muada.com
Tue Mar 11 19:04:47 UTC 2003
On Tue, 11 Mar 2003, Peter Galbavy wrote:
> > If all routes in the routing table are good (which soBGP and S-BGP can
> > do for you) and routers filter based on the contents of the routing
> > table, hosts will not see any bogon packets except locally generated
> > ones so they shouldn't have bogon filters of their own.
> I believe you are confusing authentication with authorisation.
I don't think I am.
> Having authentic routes does not imply that all the traffic will be
> 'correct'. Various networks will always fail to filter customer traffic at
> ingress etc. and then source address spoofing becomes trivial.
I don't see your point. Packets with bogon sources are just one class of
spoofed packets. As I've explained earlier S-BGP or soBGP with uRPF will
get rid of bogons. Neither this or bogon filters on the host will do
anything against non-bogon spoofed packets.
More information about the NANOG
mailing list