[53080] in North American Network Operators' Group
Re: no ip forged-source-address
daemon@ATHENA.MIT.EDU (variable@ednet.co.uk)
Wed Oct 30 11:21:39 2002
Date: Wed, 30 Oct 2002 16:20:58 +0000 (GMT)
From: "variable@ednet.co.uk" <variable@ednet.co.uk>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <5.1.1.6.2.20021030105529.02da4f00@mail.amaranth.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 30 Oct 2002, Daniel Senie wrote:
> BCP 38 is quite explicit in the need for all networks to do their part. The
> document is quite effective provided there's cooperation.
Doesn't seem to be working.
> Which interface would you filter on?
Customer ingress ports on the ISP side, which I suspect are the majority
of ports in ISP networks. Hopefully engineers on the backbone will be
clueful enough to turn it off.
> If we're talking about a router at the customer premesis, the filters
> should be on the link to the ISP (the customer may well have more
> subnets internally). At the ISP end, doing the filtering you suggest
> would not work, since it'd permit only the IP addresses of the link
> between the customer and user.
The routing table of the router should be used to build up a list of
prefixes that you should see through the interface. In this way, you
could apply it to BGP customers too without having to create filters by
hand.
Regards,
Rich
