14 Feb
2014
14 Feb
'14
9:18 p.m.
On 2/14/2014 9:07 PM, Paul Ferguson wrote:
Indeed -- I'm not in the business of bit-shipping these days, so I can't endorse or advocate any particular method of blocking spoofed IP packets in your gear.
If you're dead-end, a basic ACL that permits ONLY your prefixes on egress, and blocks your prefixes on ingress, is perhaps the safest bet. Strict uRPF has it's complications, and loose uRPF is almost too forgiving. If you're providing transit, it gets much more complicated much more quickly, but the same principles apply (they just get to be a less-than-100% solution) :)
I can, however, say with confidence that it is still a good idea. Great idea, even. :-)
Oh yeah :) Jeff