[56632] in North American Network Operators' Group
Re: 69/8...this sucks -- Centralizing filtering..
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Tue Mar 11 14:05:17 2003
Date: Tue, 11 Mar 2003 20:04:47 +0100 (CET)
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Peter Galbavy <peter.galbavy@knowtion.net>
Cc: <nanog@merit.edu>
In-Reply-To: <001301c2e7f3$a92c7f10$7c28a8c0@cblan.mblox.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 11 Mar 2003, Peter Galbavy wrote:
> > If all routes in the routing table are good (which soBGP and S-BGP can
> > do for you) and routers filter based on the contents of the routing
> > table, hosts will not see any bogon packets except locally generated
> > ones so they shouldn't have bogon filters of their own.
> I believe you are confusing authentication with authorisation.
I don't think I am.
> Having authentic routes does not imply that all the traffic will be
> 'correct'. Various networks will always fail to filter customer traffic at
> ingress etc. and then source address spoofing becomes trivial.
I don't see your point. Packets with bogon sources are just one class of
spoofed packets. As I've explained earlier S-BGP or soBGP with uRPF will
get rid of bogons. Neither this or bogon filters on the host will do
anything against non-bogon spoofed packets.
