Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Blocking spoofing at the source (was: ICMP Attacks??)

  • From: Joe Rhett
  • Date: Fri Aug 22 17:55:50 1997

 
> Given the predominance of Ascend in the marketplace, and their general
> configuration style, it would be cool to see an option
> "AllowIpSpoofing=Yes/No" or the like. The boxes already carry routes
> associated with each interface. If a packet arrives that doesn't have a
> route to get it back to the interface it came from, it would be dropped.
> Sure, this may not always be what you want, but in 99% of the cases it
> would be. Implementation via Radius would permit this to be removed from
> people you wish to allow to spoof. :)
 
This won't work on anything with multiple diverse paths. And I don't know
many companies with their own WANs that don't have such.

So, yes, the idea is nice but the logic would have to be much more
comprehensive than that. And I honestly don't know how you could safely do
it, that won't break half the routing topologies out there.

(if you assume multipath OSPF for the IGP... maybe. But that's one hell of
an assumption.)

-- 
Joe Rhett                                                 Systems Engineer
JRhett@ISite.Net                                          ISite Services

PGP keys and contact information:     http://www.navigist.com/Staff/JRhett




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.