From: Randy Bush <randy@psg.com> To: Joe Shaw <jshaw@insync.net> CC: John Fraizer <John.Fraizer@EnterZone.Net>,Dan Hollis <goemon@sasami.anime.net>, bandregg@redhat.com,nanog@merit.edu Subject: Re: SYN spoofing Date: Mon, 2 Aug 1999 17:09:55 +0200 (CEST)
How hard is it really to put a filter on your outbound links that says drop all ip traffic heading out these links that isn't from my IP space?
trivial. only one gotcha. if it is a backbone router, it will fall over dead. beyond that, not a problem.
backbone level traffic can not be packet filtered by current real routers. but we've had this discussion a few times already.
randy
Which is why it's more scaleable to do packet filtering at the edge, and leave the core to do what it does best...switch packets. -rb _______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.com
backbone level traffic can not be packet filtered by current real routers. but we've had this discussion a few times already. Which is why it's more scaleable to do packet filtering at the edge, and leave the core to do what it does best...switch packets.
yup, that is the conclusion which was reached every one of the many times this has been discused over the last years. in the future, there may come real routers (i.e. routers which can be and are usable by large isps on large capacity circuits) which have more per-packet processing power at a low enough level of the implementation (i.e. silicon) to allow backbones to filter bogons. also note that reverse-route checks don't work in meshes of any complexity, i.e. backbones. randy
I wonder if any of the cisco experts could comment on an idea for removing bogons from the core... Questions: - do folks use cisco's policy routing capabilities on their routers? core routers? - does the use of policy routing significantly affect performance in the core? The thought is that using policy routing capabilities of IOS, it appears possible to separate out traffic matching certain characteristics, including source addresses. If packets with bogus source addresses can be so identified, the policy routing could route these to null0. I don't know how Cisco did their implementation of this feature. It's certainly possible to construct hardware which does source IP address matching in hardware looking for bogons, by the same methods used to do destination address matching (a.k.a. routing table lookups). -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
- do folks use cisco's policy routing capabilities on their routers? core routers?
cpe, not core. and an oft-unmentioned problem, as aggregation routers take relatively large aggregations via channelized t3/e3 and bigger interfaces, and most of those routers are underhorsed (insert rant on 75xx sl^H^Htime- to-market), doing it on aggregation routers is often not reasonable.
- does the use of policy routing significantly affect performance in the core?
it would if folk did it. hence they don't.
I don't know how Cisco did their implementation of this feature.
optimism is not warranted. randy
participants (3)
-
Daniel Senie -
Randy Bush -
Ron Buchalski