[54843] in North American Network Operators' Group
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (John Kristoff)
Sat Jan 18 14:51:57 2003
Date: Sat, 18 Jan 2003 13:51:28 -0600
From: John Kristoff <jtk@aharp.is-net.depaul.edu>
To: nanog@merit.edu
In-Reply-To: <5.2.0.9.2.20030118075804.02ce6c68@mail.amaranth.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Jan 18, 2003 at 08:58:13AM -0500, Daniel Senie wrote:
> While it's nice that router vendors implemented unicast RPF to make
> configuration in some cases easier, using simple ACLs isn't necessarily
> hard at the edges either.
It might be nice if all router vendors were able to associate the
interface configured address(es)/nets as a variable for ingress
filters. So for in the Cisco world, a simple example would be:
interface Serial0
ip address 192.0.2.1 255.255.255.128
ip access-group 100 in
!
interface Serial1
ip address 192.0.2.129 255.255.255.128
ip access-group 100 in
!
access-list 100 permit ip $interface-routes any
access-list 100 deny ip any any
Those sorts of features could make the scaling issue much easier
for large providers and environments where routers may have lots
of interfaces. An operator could also essentially build tools to
automatically configure/verify configurations this way, but I
think it would be better for the router vendors to do this for us.
John
