I'd encourage folks to read the draft that Paul Fergusen and I have written on this subject. We talk about some things that COULD be implemented that would greatly help with source address problems. One of these would be a change to your remote access servers, and would be quite straightforward for vendors to implement: For DIALUP users, provide an option (would need to be per user) to require the packets arriving from that dialup user have the IP address that was assigned by the RAS server when the user dialed up. At modem or ISDN speeds, the packet rate is QUITE low, and this filtering should NOT be a CPU overhead problem. A SINGLE compare of a 32 bit integer is ALL we're talking about here. The reason to make this configurable per-user is to allow dialups by remote routers that are routing separate nets or subnets behind them. In those cases, a more complex filter would be desirable, but perhaps somewhat less necessary. It is my suspicion that a vast majority of the intentional source IP address trouble comes from dialup users who can leap from provider to provider. Filtering should be done as close to the actual customers as possible. I do understand the difficulty with the present core routing equipment when trying to filter large amounts of traffic, but that doesn't apply to routers at the periphery of the net. As someone else suggested, even if some of the core networks can't do all of their own filtering, they COULD add that as a requirement for those networks that are fed from them, and they from their downstreams, etc. until the T1 line, or 56K leased line, or dialup modem line at the periphery IS FILTERED. Daniel Senie OpenROUTE Networks, Inc. -- ------------------------------------------------------- Daniel Senie dts@openroute.com OpenROUTE Networks, Inc. http://www.openroute.com/ 508-898-2800