On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
The problem is, the filter will block legitimate traffic. IP does not provide any sure way to tell a spoofed packet from an unspoofed packet.
Hmm.. if I *know* that my customer has a single-homed /24, and I see a packet come in from his /24 that has a source address outside that /24, there's a *pretty* *good* chance that something squirrely is going on. But we *know* that this crowd is a "tough room" - we just *had* a flame fest regarding filtering RFC1918 addresses. So I won't go there again. ;)
Do an informal survey. Ask network operators who ingress filter whether they log and investigate packets that hit the filter. I will bet you that more than 2/3 say they don't. In other words, the filter substitutes for
And a survey of DNS servers quite recently showed that 16% still haven't upgraded to non-hackable versions of BIND. A lot of people drive without seat belts too. Just because 2/3 of a group do something doesn't mean it's a good idea. Valdis Kletnieks Operating Systems Analyst Virginia Tech