Hi Pekka,
Spoofing filters (source address is most useful, but a few protocols being deployed now also require destination address based filtering) at your border are still best to prevent external abuse to your infrastructure?
I agree that spoofing filters help also (perhaps we are not communicating)... But TTL helps in places where you can't just anti-spoof. For example, suppose you have box X which can do ZERO filtering at line rate. Then box Y that can... X->Y You have a BGP session between X and Y and many untrusted things talking to X. How would I anti-spoof X's protocol traffic when I am at Y? The nice thing about X is that it does, hopefully reliably, decrement the TTL. Michel, this same answer should apply to your statement. I agree that anti-spoofing helps. But TTL filtering can fix some very interesting problems. BTW, I am only commenting on TTL filtering and not necessarily Cisco's implementation (I have not even read through their implementation yet). Regards, Blaine