Re: [apnic-talk] NICs and Egress filtering?
On Mon, Jan 08, 2001 at 01:40:08PM +1030, Phil Crooker wrote:
> Joe Abley wrote:
> > On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> >
> > I think the more usual place to apply filters to catch spoofing is
> > on the ingress to your network, on the customer-facing circuit.
> > Packet filtering is frequently expensive, which is a good reason
> > to push it out to the edge.
> >
>
> An egress filter prevents spoofed addresses entering the Internet from
> that router
To use egress filters reliably, you would have to place them on every
customer-, peer- and provider-facing router interface. That's an O(n^2)
configuration problem, and also requires placing packet filters on fat
trunks to peers and providers.
Using ingress filters on customer-facing interfaces is an O(n)
configuration problem, and avoids the requirement for filtering
on peer and provider circuits.
> > > It seems to me the major NICs are about the only body that have the
> > > where-with-all to enforce these filters.
> >
> > How would they enforce them?
>
> No filter, no route your network of course!
(a) APNIC, ARIN and RIPE have no say in how your network gets routed.
(b) The only person who would know if the filters were not in place
would be the customer. If they were a good customer, they wouldn't need
them; if they were an evil customer, they would keep quiet so they
could exploit the hole.
> The technical difficulty as
> I see it would be to test for this externally to the router with the
> filter -- I don't know enough about IP to know if it is possible.
Joe
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *