[24704] in North American Network Operators' Group
Re: SYN spoofing
daemon@ATHENA.MIT.EDU (Daniel Senie)
Tue Aug 3 12:53:29 1999
Date: Tue, 03 Aug 1999 12:52:07 -0400
From: Daniel Senie <dts@senie.com>
To: Randy Bush <randy@psg.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I wonder if any of the cisco experts could comment on an idea for
removing bogons from the core...
Questions:
- do folks use cisco's policy routing capabilities on their
routers? core routers?
- does the use of policy routing significantly affect performance
in the core?
The thought is that using policy routing capabilities of IOS, it appears
possible to separate out traffic matching certain characteristics,
including source addresses. If packets with bogus source addresses can
be so identified, the policy routing could route these to null0.
I don't know how Cisco did their implementation of this feature. It's
certainly possible to construct hardware which does source IP address
matching in hardware looking for bogons, by the same methods used to do
destination address matching (a.k.a. routing table lookups).
--
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.com
