[12585] in North American Network Operators' Group
Re: Packets from net 10 (no, not the lyrics)
daemon@ATHENA.MIT.EDU (Todd R. Stroup)
Tue Sep 23 17:38:06 1997
Date: Tue, 23 Sep 1997 16:54:03 -0400 (EDT)
From: "Todd R. Stroup" <tstroup@fibernet.net>
To: "John A. Tamplin" <jat@Traveller.COM>
cc: nanog@merit.edu
In-Reply-To: <Pine.A32.3.91.970923134149.36610c@cyclone.traveller.com>
On Tue, 23 Sep 1997, John A. Tamplin wrote:
> Maybe I am missing something, but we use an inbound access list on all
> external links that eliminates IP address spoofing, as well as some basic
> security issues (blocking NFS, r* commands, etc just in case some machine
> inside is misconfigured). If you have an inbound access list that filters
> based on the source address already, why would you not add the private
> addresses to that?
>
This is sort of a different issue.. you are filtering IP not routes. If
you peer with someone that is sending you 10/8 even though you have it
filtered on the inbound of your interface (which is good for CPU) you will
still have a route injected into your route tables which could be
bad. Why not destroy the bad routes before they get to your routing
table?
Todd R. Stroup
Fiber Network Solutions, Inc.
> John Tamplin Traveller Information Services
> jat@Traveller.COM 2104 West Ferry Way
> 205/883-4233x7007 Huntsville, AL 35801
>
