[191710] in North American Network Operators' Group
Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Sep 26 03:14:50 2016
X-Original-To: nanog@nanog.org
To: Hugo Slabbert <hugo@slabnet.com>
From: Valdis.Kletnieks@vt.edu
In-Reply-To: <20160926041931.56loourte4eu6me5@slab-wks-04.int.slabnet.com>
Date: Mon, 26 Sep 2016 03:14:44 -0400
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1474874084_5855P
Content-Type: text/plain; charset=us-ascii
On Sun, 25 Sep 2016 21:19:31 -0700, Hugo Slabbert said:
> Linux:
> From /etc/sysctl.conf:
>
> # Uncomment the next two lines to enable Spoof protection (reverse-path=20
> # filter)
> # Turn on Source Address Verification in all interfaces to
> # prevent some spoofing attacks
> net.ipv4.conf.default.rp_filter=1
> net.ipv4.conf.all.rp_filter=1
>
> Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a
> thing on Linux.
See net/ipv6/netfilter/ip6t_rpfilter.c
Also, note that a lot of net.ipv4.conf variables also apply to ipv6 (though
checking the source tree, this isn't one of them, unless it's via a macro that
some quick grepping didn't find...)
--==_Exmh_1474874084_5855P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.5 07/13/2001
iQEVAwUBV+jK5I0DS38y7CIcAQLlxQf9Hrr1ptCgnuGG8PF8L0a1DskQZ1dkiUcO
NOTLIY1Z2mAfbzJFfiPz6rBA0gzNkJWSItV17VVdFIv+5doSyg6lgRssI1riqUM+
+Nrl8J4sTDbncUbTURIlXpWWHxUDmB3KwaBLRuqklMBh1KtEEDc+KMDbox2Yytig
At2fRnzjsWQ3rxPgtbthEzPgzKPeJLUKmMk/A3iDk+oL2R567E127eltm1NQzmwq
75pGcml8MxaHUmw9bjBjt+mUxle0qVPj4XXfpce96bzznzP6Z2o7EUrXGGaxXpwk
HBbBs9mSa5gF6UY+Ls5wP8Qn0sc6zafwfpMSbs8+mPVC35/MwEW3Gg==
=1yOO
-----END PGP SIGNATURE-----
--==_Exmh_1474874084_5855P--
