On Tue, 16 Jun 1998, Karl Denninger wrote:
We're looking into implementing filtering on ALL ingress paths, including dedicated line, as soon as we can come up with a tool to manage it automatically. The dial side is trivial and as such I can't understand how ANYONE can have an excuse for not doing that - at this point.
For those who don't bother filtering "because it's too hard or too complicated", if you don't want or can't afford to put the work into tight ingress filtering on all interfaces, it's really easy to just say "our IP blocks are A, B, and C. Allow input with source addresses in A, B, or C, deny everything else." That will at least protect the rest of the internet from your lusers. On IOS, aren't packets going through ip access-group filters (that don't do logging) fast switched as of some point in 11.2? If ingress filtering no longer has to put a huge burdon on router CPUs, it would be nice to see ingress filtering on the routers backbone providers talk to customers with. Don't tell me it's too much of an administrative problem. None of my current backbone providers will listen to BGP advertisements that haven't been arranged in advance (either by email or phone). If I can't advertise the space, why should I be allowed to spoof source addresses from it? ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____