icmp rpf

Roland Dobbins rdobbins at cisco.com
Mon Sep 25 00:30:03 UTC 2006


On Sep 24, 2006, at 4:33 PM, Mark Kent wrote:

> Remember, we're not talking about RFC1918 space,
> where there is a BCP that says we should filter it at the edge.
> We're talking about public IP space, that just doesn't happen to be
> announced outside of a particular AS.

If the intent is to prevent folks from reaching out and touching  
random network infrastructure devices directly whilst still allowing  
traceroute to work, iACLs and/or using IS-IS as one's IGP and null- 
routing the infrastructure blocks at one's various edges achieves the  
same effect with less potential for breakage:

http://www.nanog.org/mtg-0405/mcdowell.html

Note that a good infrastructure addressing plan is a prerequisite for  
both of these methods.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice

Any information security mechanism, process, or procedure which can
be consistently defeated by the successful application of a single
class of attacks must be considered fatally flawed.

     -- The Lucy Van Pelt Principle of Secure Systems Design




More information about the NANOG mailing list