[16555] in North American Network Operators' Group
RE: Network Operators and smurf
daemon@ATHENA.MIT.EDU (Jesper Skriver)
Fri May 1 18:04:58 1998
Date: Fri, 1 May 1998 23:01:22 +0200 (CEST)
From: Jesper Skriver <jesper@skriver.dk>
To: Doug Stanfield <DOUGS@oceanic.com>
cc: "'Alex P. Rudnev'" <alex@Relcom.EU.net>, Al Reuben <alex@nac.net>,
Havard.Eidnes@runit.sintef.no, jra@scfn.thpl.lib.fl.us,
nanog@merit.edu
In-Reply-To: <5650A1190E4FD111BC7E0000F8034D26168DA1@HUINA>
Plus the CEF code can do much more that this "verify unicast reverse-path"
thing ... nice things like WRED, advanced QOS ....
So it's needed on highend core routers ... for other purposes.
/Jesper
On Mon, 27 Apr 1998, Doug Stanfield wrote:
> Don't assume it's not needed for the 75xx, or anything else for that
> matter. Many networks are single connected to routers that are also
> acting multihomed to core providers and these boxes are being used.
>
> Doug Stanfield Oceanic Cable
> Data Networking Manager 200 Akamainui St.
> dougs@oceanic.com Mililani, HI 96789
>
>
>
> Usially the low-end traffic is symmetrical. The problem is that
> CEF code
> and other anty-frauding realisations are appearing for the
> high-end
> routers, white they are nessesary for the low-end routers and
> useless for
> the core routers. For cisco, we need this future for
> 4500/4700/3640/2511
> ASAP, 720x slightly, and don't need it for 75xx at all.
>
>
>
>
>
> On Sat, 25 Apr 1998, Al Reuben wrote:
>
> > Date: Sat, 25 Apr 1998 12:30:50 -0400 (EDT)
> > From: Al Reuben <alex@nac.net>
> > To: Havard.Eidnes@runit.sintef.no
> > Cc: jra@scfn.thpl.lib.fl.us, nanog@merit.edu
> > Subject: Re: Network Operators and smurf
> >
> >
> > > This should (naturally) be implemented where routing is
> symmetric
> > > and where a "reverse-path check" (looking up the source
> address in
> > > the routing table to find the "expected" incoming interface
> and
> > > checking whether the packet did indeed enter through that
> interface)
> >
> > The big question is, what do you do if most of your traffic
> _is_
> > asymetrical? I mean, a more basic check could be, "Does the
> network that
> > this packet was sourced from exist *at all*?", or "Do I have a
> route back
> > to the source network through *any* interface?"
> >
> > That would cut down on a good amount of spoofing, like the
> idiots who
> > spoof from 1.1.1.1 etc.
> >
> >
> >
>
> Aleksei Roudnev, Network Operations Center, Relcom, Moscow
> (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095)
> 239-10-10, N 13729 (pager)
> (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
>
Jesper Skriver (JS249-RIPE), Network manager
Tele Danmark DataNet, IP section (AS3292)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
