[127192] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Brian Feeny)
Thu Jun 17 16:52:28 2010
From: Brian Feeny <bfeeny@mac.com>
In-reply-to: <4C19A6D2.6030603@gmail.com>
Date: Thu, 17 Jun 2010 08:27:34 -0400
To: Roy <r.engehausen@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
urpf doesn't work as well for stopping inbound traffic to your network, because most people aren't totally defaultless, so the default route makes all traffic valid.
It works well for outbound traffic.
On Jun 17, 2010, at 12:38 AM, Roy wrote:
> On 6/16/2010 7:43 PM, Jon Lewis wrote:
>> On Thu, 17 Jun 2010, Mark Andrews wrote:
>>
>>> Why was this traffic hitting your DNS server in the first place? It should
>>> have been rejected by the ingress filters preventing spoofing of the local
>>> network.
>>
>> When I ran a smaller simpler network, I did have input filters on our transit providers rejecting packets from our IP space. With a larger network, multiple IP blocks, numerous multihomed customers, some of which use IP's we've assigned them, it gets a little more complicated to do.
>>
>> I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers. The ACLs wouldn't be that long, or that hard to maintain. Is this common practice?
>>
>> -
>
> Sounds like a good use of URPF.
>
>
