[31489] in North American Network Operators' Group
Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
daemon@ATHENA.MIT.EDU (Danny McPherson)
Mon Sep 25 16:02:30 2000
Message-Id: <200009252000.OAA12077@tcb.net>
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Date: Mon, 25 Sep 2000 14:00:00 -0600
Errors-To: owner-nanog-outgoing@merit.edu
> One could note that a regular packet-filtering ACL inbound on the
> customer's port could achieve a congruent functionality.
> That's probably true. In this case, I had a different idea in mind
> when I asked for the feature but this is what came out.
Right, the latter is nothing more than a standard packet filter.
Ideally, on could employ the same policy used for route filtering
from a peer (perhaps generated via IRR or other similar mechanism)
to perform source address 'authorization' in the forwarding path.
Given, the practicality of performing these functions in hardware
today is, well, interesting....
If this were widely supported and deployed (especially inter-
domain), IP spoofing DoS attacks would largely be a thing of the
past. Of course, if prefix filtering and/or ingress packet
filtering were widely deployed even at the edge, this would
largely be a thing if the past.
This is one of the things that we plan to discuss during the
"Service Provider Route Filtering" panel @NANOG.
-danny
