[Who knew, when I began what started as private response, that I'd find a soapbox? This is not so much directed at Tom personally, but at the recurring attitude that he has, all unbeknownst to himself, reiterated just as I got my second wind.] Tom Beeson <beeson@nm.net> wrote:
We wrote an in-house perl script to take a Cisco router configuration and build inbound and outbound filters. These filters are then applied to the serial interface that connects to our network and toward the Internet.
You aren't performing the filtering Farnsworth was talking about, you are helping others to do it. You are "stopping spoofed packets from leaving THEIR networks," not your own. Hoping that the configurations you deliver remain in place so that you "are filtering." For those customers that you provide a managed solution, where they do not have access to the configuration, this might be an acceptable substitute. I don't think so, but its arguably closer since the router is, effectively, part of your network. If it weren't for the physical access at their end I'd call it square, right away. For those customers that manage their own its a different story. Your suggestions are likely to be followed, until the first network event after the rules are installed, at which point they will be removed as suspect, then never restored since no "difference" was seen, or (worse) their router "worked" better. Since *you* aren't filtering you find out about this either through routine checks (which is another can of worms) or *after* something nasty happens. Most likely it won't be Earth- shattering, but it will *happen* -- spilt milk. You need filters in your edges, even internal ones, because YOU might be cracked, or because your customers are and the oh-so-careful filters you constructed have been removed, or because some edge customer makes a mistake. They need filters in their edges, even their internal ones, because you might be cracked, or because they might be and your oh-so-careful filters have been removed, or because some NOC technician makes a mistake (or made one, a month or six ago). Mutual assurance is not a bad thing. Bite the bullet. Protect *your* edges *yourself*. This does raise the cost of providing service, since you'll have to buy more router than you *currently* expect for a given situation.