[lir-wg] AS Number Policy
Pekka Savola pekkas at netcore.fi
Thu Jul 11 20:11:26 CEST 2002
On Thu, 11 Jul 2002, Kurt Erik Lindqvist wrote: > > > If the ISP doesn't do ingress filtering from the direction of the > > customer, it will be done somewhere in the internet anyway. Is it not ^^^ > > _better_ for the customer to get the block immediately (e.g. in the case > > of misconfigured addresses), rather than have to wait for someone distant > > to do it. They won't be getting return packets _anyway_... Oops, I made a drastic typo when editing the message. Cut off that 'not', so we agree. > Well, if all those packets get filtered somewhere else in the network, that > part has surely never been in the path to the networks I worked for. We > have always seen DoS attacks with forged source addresses. We perform additional form of filtering at our border routers to upstreams and peerings (for ingress, check that our addresses are not listed; for egress, we drop packets with private and other martian addresses just to be sure). This does not, naturally help with identifying spoofed DoS attacks reliably. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
[ lir-wg Archives ]