If software from OFRV can do ingress source address checking without performance penalty on edge devices, it should be included as a default. It doesn't make sense to me to run around yelling about strange people in your house if there is technology that can bar entry. Install the lock that is already there and lock the door. We just have to get creative about describing the inclusion of the feature, attendance at a congressional hearing, a demonstration at an industry conference, and a well written press release about how "we" are doing something about the problem. IOPS could do this. NANOG's press secretary or executive director could do this. :-) --Kent From: Jon Lewis <jlewis@inorganic5.fdt.net>
On IOS, aren't packets going through ip access-group filters (that don't do logging) fast switched as of some point in 11.2? If ingress filtering no longer has to put a huge burdon on router CPUs, it would be nice to see ingress filtering on the routers backbone providers talk to customers with ...