"Alex.Bligh" writes:
danny@genuity.net said:
Aug 15 20:04:45.087 MST: %SEC-6-IPACCESSLOGDP: list 199 permitted icmp 1.1.1.1 (Fddi6/0 0060.7017.a188) -> 192.41.177.255 (0/0), 1 packet
I'm pretty sure this is a new feature. Wow. Useful. That's exactly what I wanted. Given you are doing this I take it it's in 11.1.11CA1.
Hope I haven't overlooked something obvious here .. but I'm sure that if a did someone will "enlighten" me ;-) Of course, the one obvious thing I didn't mention is that if everyone were to deploy ingress filtering, this would be much, much easier to control.
The other nice solution would be an inverse traceroute that went back to each router in turn, passing it a bit of BPF saying "where are you getting packets like this from please?". If such a protocol existed, this would allow trace back to source (or at least trace back to the point where the protocol wasn't supported) which would automate most of the tracking and reduce the need to persuade NOCs to cooperate. There are obviously security concerns in allowing 3rd parties to remotely apply packet tracking in your network, but I'm sure with a cold flannel applied to forehead these could be worked through. RFC time anyone?
Alex Bligh Xara Networks