paul, it sounds a good idea but is it possible? I don't think cisco can filter by wrong SRC address bases. ^^^^^ you still can use still use any ip on the same segment. (Big deal, huh? :-) ) Furthermore, it will cause some problem for Mobile IP stuff, if I remember correctly. regards, tatsuya On Tue, 17 Feb 1998, Bradley Reynolds wrote:
See RFC2267.
- paul
Good news.
One more question (just is there is someone from the CISCO) - what's about source-address filtering at default for the access servers/routers? Note all this problems (SMURF, DENIAL-ATTACK, DNS-FRAUDING, etc etc) can be 100% blocked if ISP would not allow it's customers to send IP packets with the wrong SRC address. If not, they (hackers) should found new, new and new tricks to fraud any IP network.
You can apply the RPF idiom from multicast to block unicast flooding. This would instantly solve the problem, though I am not sure what overhead the path evaluation would incur.
BR
brad@iagnet.net