On Thu, 21 Aug 1997 23:55:57 -0400 (EDT), woods@most.weird.com writes:
[ On Thu, August 21, 1997 at 17:18:24 (-0500), Jon Green wrote: ]
Subject: Re: ICMP Attacks???????
I don't think that's a good idea. The vast majority of routers that I sell to customers are not used in Internet applications, and to add another configuration step to enable the router to do what routers traditionally do by default would be very confusing to the end user.
Wait just one minute there.
You're saying that Corporate America *relies* on being able to to IP source address spoofing through the routers it builds its commercial private networks with?
Well, I wasn't quite thinking here. The original post had said something about making a router check to see if a packet came from a locally configured interface, which I said would not be a good idea. Obviously, though, for non-local networks the router would have a route table entry to get back to it, even if it jumps through three other routers. That being said, we *could* have a configuration option that makes a router check its routing table to make sure a packet coming in an interface has a route back out that same interface. This should not be a default option, though, since there are often two paths to a destination and the routing table may not match where the packet came from. That's not the best English, but you get it.. What would doubling the number of route table lookups do from a performance standpoint? Since I would envision this as an edge-router type thing, I would assume the impact would not be that great. -Jon ----------------------------------------------------------------- * Jon Green * "Life's a dance * * jcgreen@netINS.net * you learn as you go" * * Finger for Geek Code/PGP * * * #include "std_disclaimer.h" * http://www.netins.net/showcase/jcgreen * -------------------------------------------------------------------------