Re: [apnic-talk] NICs and Egress filtering?
"How would they enforce them?"
Good question Joe, and one which I've also thought about without getting
to any sensible conclusion myself.
Egress filter would ensure that traffic used source addresses consistent
with routing advertisements (RFC 2827) right?
But surely this would also require that the routing system itself has some
level of trustable integrity. The issue in my mind is: how is the integrity
of the routing system managed?
At 1/7/01 08:52 PM -0500, Joe Abley wrote:
>On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> > Hi,
> >
> > I look after Internet security for our company and have often wondered
> > ....
> >
> > Considering how important egress filtering of spoofed IP addresses in
> > preventing Distributed Denial Of Service attacks, I was wondering
> > whether APNIC and the other NICs have considered requiring IP address
> > holders to apply egress filters on their boundary routers?
>
>I think the more usual place to apply filters to catch spoofing is
>on the ingress to your network, on the customer-facing circuit.
>Packet filtering is frequently expensive, which is a good reason
>to push it out to the edge.
>
> > It seems to me the major NICs are about the only body that have the
> > where-with-all to enforce these filters.
>
>How would they enforce them?
>
>
>Joe
>
>
>* APNIC-TALK: General APNIC Discussion List *
>* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *