[43411] in North American Network Operators' Group
Re: Filtering Best Practices, et al (Was Verio Peering, Gordon's Knot)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Oct 9 11:57:54 2001
Date: Tue, 9 Oct 2001 11:57:14 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: "Grant A. Kirkwood" <grant@virtical.net>
Cc: nanog@merit.edu
Message-ID: <20011009115714.B16103@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3BC3108B.3C3FC383@virtical.net>; from grant@virtical.net on Tue, Oct 09, 2001 at 07:58:19AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
Recent versions of IOS support a cool feature:
"ip verify unicast source reachable-via any"
which can be installed on interfaces. This will silently drop
(assuming you're using cef) packets sourced from prefixes that you do
not have a route for.
ie: if you don't have 10/8 in your routing table, and someone
sends you a packet sourced from 10.0.0.3 it will get dropped.
that will drop all your rfc1918 space (with the obvious caveat of if
you route it) at the edge or in the core easily.
as for non-packet filters, i defer to the plethora of threads
- jared
On Tue, Oct 09, 2001 at 07:58:19AM -0700, Grant A. Kirkwood wrote:
>
> Not to beat an already-decaying horse, BUT...
>
> I'm currently in the process of setting up a new border router, and the
> recent debate on the above topic got me wondering what the best practice
> filtering policy is? Is there one?
>
> And what do people put in place in terms of anti-spoofing ACLs and such?
> There's a wealth of information on these topics, but no real consensus.
>
> Or am I just reopening an ugly can of worms here?
>
> TIA,
>
> --
> Grant A. Kirkwood - grant@virtical.net
> Chief Technology Officer - Virtical Solutions, Inc.
> http://www.virtical.net/
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
