[92529] in North American Network Operators' Group
Re: icmp rpf
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sun Sep 24 20:32:05 2006
In-Reply-To: <20060924233330.F11E22847D@noc.mainstreet.net>
From: Roland Dobbins <rdobbins@cisco.com>
Date: Sun, 24 Sep 2006 17:30:03 -0700
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Sep 24, 2006, at 4:33 PM, Mark Kent wrote:
> Remember, we're not talking about RFC1918 space,
> where there is a BCP that says we should filter it at the edge.
> We're talking about public IP space, that just doesn't happen to be
> announced outside of a particular AS.
If the intent is to prevent folks from reaching out and touching
random network infrastructure devices directly whilst still allowing
traceroute to work, iACLs and/or using IS-IS as one's IGP and null-
routing the infrastructure blocks at one's various edges achieves the
same effect with less potential for breakage:
http://www.nanog.org/mtg-0405/mcdowell.html
Note that a good infrastructure addressing plan is a prerequisite for
both of these methods.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Any information security mechanism, process, or procedure which can
be consistently defeated by the successful application of a single
class of attacks must be considered fatally flawed.
-- The Lucy Van Pelt Principle of Secure Systems Design
