> http://www.uniras.gov.uk/vuls/2004/236929/index.htm
Judging from this, a good idea for peering routers is probably to filter on external interfaces inbound connections from the address range of your loopback addresses. Assuming you have set aside an address range for this, there should be no valid reason for someone outside of your network sending you IP packets sourced from this range. Such an ACL will at least protect your iBGP sessions from outside (but not from your own customers) hijacking. Assuming your loopbacks are in 192.168.123.0/24 (I hope they're not;-)): ip access-list extended anti-spoofing deny ip 192.168.123.0 0.0.0.255 any !.. possibly other things .. permit ip any any interface your-peering-interface ip access-group anti-spoofing in Cheers, Markus -- VIA NET.WORKS (Schweiz) AG Riedstrasse 1, CH-6343 Rotkreuz, Switzerland Telefon: +41 41 798 2121 / Fax: +41 41 798 2122 Markus Wild, Manager Engineering, e-mail: [EMAIL PROTECTED] ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
