On Tue, 23 Sep 1997, John A. Tamplin wrote:
Maybe I am missing something, but we use an inbound access list on all external links that eliminates IP address spoofing, as well as some basic security issues (blocking NFS, r* commands, etc just in case some machine inside is misconfigured). If you have an inbound access list that filters based on the source address already, why would you not add the private addresses to that?
This is sort of a different issue.. you are filtering IP not routes. If you peer with someone that is sending you 10/8 even though you have it filtered on the inbound of your interface (which is good for CPU) you will still have a route injected into your route tables which could be bad. Why not destroy the bad routes before they get to your routing table? Todd R. Stroup Fiber Network Solutions, Inc.
John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801