On Sat, 9 Jun 2001, Bill Royds wrote:
> Note: RFC 2267 has been superseded by RFC 2827
Thanks, I had indeed missed that.
>
> You are correct, RFC2827 is not a standard but it is a Best Current
> Practice (BCP0038) which could be used as a precedent in a lawsuit if
> it came to that. RFC2827 is about ingress filtering for backbones
> rather than egress filtering for ISP's but the rules are similar. It
> is just which side of the peering point you are looking at. Egress
> filtering would require a lot less horsepower then ingress filtering
> because the border router already has routing tables for what IP
> blocks it accepts traffic. Using this on source address of outgoing
> traffic adds not much more memory overhead (although it does add more
> CPU cost). This is just applying routing rules to outgoing traffic as
> well as incoming traffic rather than doing any censoring.
> The golden rule of egress filtering: Only allow packets out of your
> network with source IP address that you would allow in.
>
So, since we seem to be in basic agreement here- is there anyone who can
come up with a significant impediment to mandatory egress filtering rules
other than getting buy-in (ISO layer 8 issues)?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
