The great thing about the CC images released by cisco (as long as you're running with ip cef or ip cef dist), you can turn this neato command on your interfaces to your customers: ip verify unicast reverse-path This automatically does filtering based on your local routers routing table. This means you can take a customer connection and filter them. You will encounter problems if they are multihomed and have netblocks that you don't route directly to them, but you can make those changes later as they multihome. We've had a few problems with our customers and doing this, when we don't route all their address space, but this is easily fixed. Asymetrical routing is an evil you have to live with and adjust to, so if you have more than one upstream, I would not apply such filters to those interfaces. I would recommend that everyone who has the ability to do this on their routers do so. This will help many possible problems. If we can get enough people to make this part of their default configuration (such as no ip directed-broadcast is these days) on their ports to customers, we could prevent many DoS attacks. If you have dialup lans (ie: mci, uunet, etc.. who have big public dialup pools) PLEASE filter these, as well as the smaller providers out there. - jared
On Thu, 28 May 1998, Mr. Dana Hudes wrote:
Who *does* do ingress filtering? I have it on our border routers and customer connect ports. We have transit from MCI and UUNET. Neither has ingress filters -- see below message from MCI on this.
Subject: Re: RFC1918 addresses from MCI Date: Thu, 28 May 1998 08:16:23 -0700 From: security@mci.net To: dhudes@graphnet.com CC: security@mci.net
Mr. Hudes,
Thank you for your note. MCI does not currently source filter address space at it's ingress points. Addresses sourced from non-routable or invalid addresses are not blocked or filtered. Addresses destined to non-routable addresses spaced are not routed.
If you think it is a security issue and it is on-going then please contact us with the target address so we can investigate.
-- Work: jared@qual.net - We Make The Internet Work for Your Business 9-5pm(ET) 800 637 4424x2634 - 24x7 NOC - 800 424 3223 pgp key available via finger from jared@puck.nether.net
participants (1)
-
Jared Mauch