Re: This is a must read document. It will freak you out

[Paul D. Robertson]

On Thu, 7 Jun 2001, Jonas Luster wrote:

> Filtering costs CPU. One of the problems with DoS are the CPU spikes
> (ever seen IP-Input go to 60% while your BGP-Sessions start flapping?
> :). That's why it's so damn problematic to filter. That and customers
> who start whining if you do.

It's only problematic to filter in the core or at routers with huge
transit responsibilities.  Filtering it at the CPE is rather trivial,
especially with a permit on and extended outbound access list (first
match, if the source is right, out goes the packet, fast switched not
process switched.)  What's more, logging the denies could give you an IDS
of sorts if you're into that sort of thing.

If egress filters were mandatory to connect to the Internet, things would
be much, much better than they are.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."

PGP signature