Re: [apnic-talk] NICs and Egress filtering?
Geoff and all,
Geoff Huston wrote:
> "How would they enforce them?"
>
> Good question Joe, and one which I've also thought about without getting
> to any sensible conclusion myself.
>
> Egress filter would ensure that traffic used source addresses consistent
> with routing advertisements (RFC 2827) right?
IMHO,I believe it would, yes.
>
>
> But surely this would also require that the routing system itself has some
> level of trustable integrity. The issue in my mind is: how is the integrity
> of the routing system managed?
It really isn't today. Maybe some day. And there is one of the problems
with this approach....
>
>
> At 1/7/01 08:52 PM -0500, Joe Abley wrote:
> >On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> > > Hi,
> > >
> > > I look after Internet security for our company and have often wondered
> > > ....
> > >
> > > Considering how important egress filtering of spoofed IP addresses in
> > > preventing Distributed Denial Of Service attacks, I was wondering
> > > whether APNIC and the other NICs have considered requiring IP address
> > > holders to apply egress filters on their boundary routers?
> >
> >I think the more usual place to apply filters to catch spoofing is
> >on the ingress to your network, on the customer-facing circuit.
> >Packet filtering is frequently expensive, which is a good reason
> >to push it out to the edge.
> >
> > > It seems to me the major NICs are about the only body that have the
> > > where-with-all to enforce these filters.
> >
> >How would they enforce them?
> >
> >
> >Joe
> >
> >
> >* APNIC-TALK: General APNIC Discussion List *
> >* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *
>
> * APNIC-TALK: General APNIC Discussion List *
> * To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *
Regards,
--
Jeffrey A. Williams
Spokesman INEGroup (Over 112k members strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1 at ix dot netcom dot com
Contact Number: 972-447-1800 x1894 or 9236 fwd's to home ph#
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *