On Tue, Jan 12, 1999 at 05:51:36PM +0000, Alex Bligh wrote:
2) Using the "ip verifiy unicast reverse-path" Cisco feature (it's in 11.1CC images when you use CEF, so I don't get a flood of e-mails)
I'm sure far more people would source filter if Cisco put this in CPE routers.
This does not mean you can't filter on your fastether, ether, fddi, etc.. that goes to customer aggregation boxes, or on the T1 where that connectivity hits your core backbone node, (I understand there are cases where this would not work, for some larger customers perhaps), but for most cases, this would be possible. If i have network topology that provides the following scenario: upstream | +----------+ | core rtr |--- N x backbone link(s) +----------+ \ \ +------------+ -| access lan | +------------+ Where access lan is any number of customer aggregation boxes, such as 36xx w/ t1 intfs, (dial) access boxes, etc, you can source filter that lan at that point instead of the edge. If you manage lans similar to this, you shouldn't allow your dial customers to spoof and start these attacks. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.