-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 28 Mar 2001, David Schwartz wrote:
On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
The problem is, the filter will block legitimate traffic. IP does not provide any sure way to tell a spoofed packet from an unspoofed packet.
Hmm.. if I *know* that my customer has a single-homed /24, and I see a packet come in from his /24 that has a source address outside that /24, there's a *pretty* *good* chance that something squirrely is going on.
Right. However, it's also entirely possible that the traffic is legitimate. Consider, for example, a sub-customer migrating between two ISPs each with static IPs who currently has them both up.
The optimum approach is to investigate it, determine if it's legitimate or not, and act appropriately. The lazy approach is to filter it and if it's legitimate, wait for the customer to complain. The worst possible approach is to ignore it (either filtering it or not) and hope that if it is a serious problem, the customer will fix it themself.
The filtering advocates don't seem to particularly care whether the problem is fixed or not. What they're missing is that filtering is simply a 'level of service' issue. What's a security and community issue is that root compromises and misconfigurations that threaten others be detected and repaired. Filters can't do that.
No, no, no. You are erring on the side of openness, rather than on the side of security. If you do have a root compromise and someone is able to send out spoofed packets from that system on your network, how are you supposed to know? If you are not filtering spoofed packets, you have no way to know there there is anything going wrong on your network. As far as traffic outside of my address space being legitimate on my network. No. The only traffic outside my address space allowed on my network (if I allowed it at all) would be pre-arranged addresses. If this is the case, your scenario above would be included. This is a policy statment that should be clearly defined by each ISPs routing policy. "I only route my packets unless otherwise arranged". If another ISP connects to me, I will give them an address range, or, if they have their own address range, I will route that. Routing of non-portable address space will only be made under special circumstances. yada yada ya." You get the idea. If you err on the side of security, you keep everything closed until you have to open it up. Just like a firewall. This way you KNOW what is being passed and what will be allowed to be passed when you setup the connection to the customer. If you have and have always had egress filtering, then there is no problem when setting up a new customer. If you add it after the fact, you have to be very careful and explain to the customer why it needs to be there. If everyone edge network on the Internet did egress filtering, we wouldn't have the problem of spoofed packets today. Period. It's that simple. === Tim Flames are welcome. :-) ********************************************** Tim Winders, MCSE, CNE, CCNA Associate Dean of Information Technology South Plains College Levelland, TX 79336 Phone: 806-894-9611 x 2369 FAX: 806-894-1549 Email: TWinders@SPC.cc.tx.us ********************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OSF1) Comment: Made with pgp4pine 1.75-6 iEYEARECAAYFAjrCXLsACgkQTPuHnIooYbyPIACgoqTCfd0oEkeZkmct7PmYxBt0 BjgAoK8QMTR2+MR8gm+f4a4EZFpW9vT2 =PqMy -----END PGP SIGNATURE-----