From: Randy Bush <randy@psg.com> To: Joe Shaw <jshaw@insync.net> CC: John Fraizer <John.Fraizer@EnterZone.Net>,Dan Hollis <goemon@sasami.anime.net>, bandregg@redhat.com,nanog@merit.edu Subject: Re: SYN spoofing Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)
How hard is it really to put a filter on your outbound links that says drop all ip traffic heading out these links that isn't from my IP space?
trivial. only one gotcha. if it is a backbone router, it will fall over dead. beyond that, not a problem.
backbone level traffic can not be packet filtered by current real routers. but we've had this discussion a few times already.
randy
Which is why it's more scaleable to do packet filtering at the edge, and leave the core to do what it does best...switch packets. -rb _______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.com