On Sat, 12 Jul 1997, Daniel Senie wrote:
Another thing I'd like folks to consider. Many of you manage the routers at customer sites. I would guess that in most cases, folks forging IP addresses are NOT the folks who have access to routers at a site. If you, as an ISP, manage the router at the customer end of a circuit, ADD FILTERS THERE! Make sure that packets transmitted from the customer's router to your network are VALID addresses. The
FDT has an office with a Sprint/Centel T1 in which Sprint supplies and maintains the router at our end...an intollerable situation, but that's another story. The topic of access-list filters has come up many times, and Sprint refused to add any filters to the 2501 at our end, and would not give FDT access to it in any way. I noticed they were doing no filtering whatsoever, and promptly gave them some real life examples of why egress filtering is a good thing by forging packets into their NOC. They proved their cluelessness by adding tcp and udp egress filters, rather than just ip. Last time I tried, I could still forge icmp from tlh. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ________Finger jlewis@inorganic5.fdt.net for PGP public key_______