Re: Blocking spoofing at the source (was: ICMP Attacks??)
Phil Howard <phil@charon.milepost.com> writes:
As long as _one_ _of_ _the_ _routes_ would go back on the interface the packet arrived on, not necessarily the best route, then the logic would work in the majority of cases that I know of.
But this could require a more extensive route lookup, which would do more than just double the CPU time looking up routes.
Not necessarily. For routers at the very edge of the network, each interface probably has a small and fairly static set of route candidates through it. The router could automatically update a magic IP traffic filter that's updated whenever the set of routes through the interface changes. This, possibly coupled with some aggressive aggregation, is for most cases a Simple Matter Of Programming that wouldn't significantly impact router performance. Even at the core, the cost of updating filter lists due to route flap has to be much, much less than the cost of doubling (or worse) the number of route table lookups per packet forwarded. regards, -- Robert
participants (1)
-
Robert Sanders