[12581] in North American Network Operators' Group
Re: Packets from net 10 (no, not the lyrics)
daemon@ATHENA.MIT.EDU (John A. Tamplin)
Tue Sep 23 15:07:23 1997
Date: Tue, 23 Sep 1997 13:43:21 -0500 (CDT)
From: "John A. Tamplin" <jat@traveller.com>
To: "Todd R. Stroup" <tstroup@fibernet.net>
cc: bmanning@ISI.EDU, Mohamad Eljazzar <eljazzar@ns.utk.edu>, nanog@merit.edu
In-Reply-To: <Pine.SGI.3.91.970923122526.11281L-100000@optical>
On Tue, 23 Sep 1997, Todd R. Stroup wrote:
> You want to filter on an interface for this? If you get the route into
> your routing table thats where the problem starts. Attaching the filter
> to the peer session will at least get rid of the bad routes from the
> start. I would rather use CPU on keeping the BGP sessions clean than
> wasting it on checking the interface for packets with 10/8. If anyone
> has any better suggestions, I would love to hear them.
Maybe I am missing something, but we use an inbound access list on all
external links that eliminates IP address spoofing, as well as some basic
security issues (blocking NFS, r* commands, etc just in case some machine
inside is misconfigured). If you have an inbound access list that filters
based on the source address already, why would you not add the private
addresses to that?
John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801
