|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 27 Apr 1998 14:12:50 +0400 (MSD) From: "Alex P. Rudnev" <alex@Relcom.EU.net> To: Al Reuben <alex@nac.net> cc: Havard.Eidnes@runit.sintef.no, jra@scfn.thpl.lib.fl.us, nanog@merit.edu In-Reply-To: <Pine.BSF.3.96.980425122657.13390W-100000@iago.nac.net> Usially the low-end traffic is symmetrical. The problem is that CEF code and other anty-frauding realisations are appearing for the high-end routers, white they are nessesary for the low-end routers and useless for the core routers. For cisco, we need this future for 4500/4700/3640/2511 ASAP, 720x slightly, and don't need it for 75xx at all. On Sat, 25 Apr 1998, Al Reuben wrote: > Date: Sat, 25 Apr 1998 12:30:50 -0400 (EDT) > From: Al Reuben <alex@nac.net> > To: Havard.Eidnes@runit.sintef.no > Cc: jra@scfn.thpl.lib.fl.us, nanog@merit.edu > Subject: Re: Network Operators and smurf > > > > This should (naturally) be implemented where routing is symmetric > > and where a "reverse-path check" (looking up the source address in > > the routing table to find the "expected" incoming interface and > > checking whether the packet did indeed enter through that interface) > > The big question is, what do you do if most of your traffic _is_ > asymetrical? I mean, a more basic check could be, "Does the network that > this packet was sourced from exist *at all*?", or "Do I have a route back > to the source network through *any* interface?" > > That would cut down on a good amount of spoofing, like the idiots who > spoof from 1.1.1.1 etc. > > > Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |