North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: SYN spoofing
- From: Jared Mauch
- Date: Wed Jul 28 14:04:48 1999
On Wed, Jul 28, 1999 at 11:54:03AM -0400, bryan s. blank wrote:
> % ip verify unicast reverse-path
> % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> % the use of extended access lists on Cisco routers is very low overhead,
> % especially on routers using distributed express forwarding.
> while i hate to question mr. ferguson, it's my understanding
> that many isps have found this feature to be unusable due to
> network design.
You can't use this in the core, but you can use it on cpe facing
eg: the interface that faces your dial lan, or colocate lan,
etc.. and on single ckt connections.
You get into some cases where you have a customer that is doing
more complicated things than just pointing default at you...
(ie: they're multihomed, or have various netblocks, and
do not announce them all to you or do policy routing inside their network).
What problems are you seeing, as I've not had problems with
this deployed in my network. I know that there have been ECM bugs
in the past (equal cost multipath), and it not doing the rpf check
correctly, but those problems should not affect most of the customers
in the world.
Jared Mauch | pgp key available via finger from firstname.lastname@example.org
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
| "Waste Management Consultant" VOYN