On Thu, 2006-09-28 at 01:21 -0400, Curtis Villamizar wrote: > OK. You are looking for a test that can be made at forwarding time - > sort of a "perfect RPF". Unfortunately assymetric routes may make a > perfect RPF infeasible. >
Assymetri may be a problem in the core, but not as much on the edges. It shouldn't be much of a problem to prevent spoofing from most residential and corporate networks world-wide, if it could be enforced. > For the above cases, for your single homed direct customers you can > not accept traffic with their source addresses but soon this becomes a > rather large and hard to maintain filter. Maybe if you had a "single > homed customer" BGP community you could install RPF-like filters > blocking traffic with source addresses for each prefix with this > community and protecting your own single homed customers. > > Does that help? > Not in attacks based on reflections towards spoofed sources. It only prevents hosts within "my network" from being used as amplifiers in attacks on "my own" customers. All of this boils down to the fact that we can add any number of new mechanisms to control traffic and not achieve a thing unless the ones with the stick (transit operators) are willing to use it to enforce deployment, as was done wrt similar issues e.g. in NSFNET ages ago. -- Per Heldal - http://heldal.eml.cc/ _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
