[69362] in North American Network Operators' Group
RE: BGP TTL check in 12.3(7)T
daemon@ATHENA.MIT.EDU (Michel Py)
Thu Apr 8 12:40:57 2004
Date: Thu, 8 Apr 2004 09:40:06 -0700
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Blaine Christian" <blaine.christian@mci.com>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> Blaine Christian wrote
> http://www.faqs.org/rfcs/rfc3682.html
> I agree that it is not a panacea... But, you must admit,
> it provides an incredible level of comfort. It would be
> wonderful to only allow internally generated traffic to
> talk to the core of your network with a simple TTL filter.
> Versus anti-spoofing filters from hell.
That's not the way I see this at all. I look at it as a good complement
to anti-spoofing filters as part of defense in depth, in case said
filters get SNAFUed. My primary line of defense will remain ACLs.
Michel.
