Re: [spoofing-tf] HOWTO draft
-
To: "Juan P. Cerezo" juampe@localhost
-
From: Pekka Savola pekkas@localhost
-
Date: Thu, 14 Sep 2006 08:25:56 +0300 (EEST)
On Wed, 13 Sep 2006, Juan P. Cerezo wrote:
This is the draft of the Anti-Spoofing Howto document, to be
discussed on the list. There are some items to be filled yet, but
people can start to comment on what's been written up to now.
I looked quickly at the first sections only. Two comments below:
4.2.1. Filtering prefixes
- What to filter
Basically, IP traffic with a source address belonging to prefixes that
should not be on the routing table of routers connected to (or that
forward traffic from/to) the public Internet. The most common
characterization of these prefixes is the so-called Bogon Prefixes[1].
==> why do you recommend filtering only bogon prefixes? That's pretty
useless in the grand scheme of spoofing. The more important issue is
filtering out addresses which have been spoofed to be from someone
else's address space.
- Where to filter
On the IP hosts (if the TCP/IP stack implements this option), on the
customer (CPE) routers, on the ISP infrastructure equipment (access
routers and concentrators, DFZ routers).
==> I'd also recommend applying filtering at your peering/upstream
edges:
- outbound: allow out only valid addresses you give transit for (just
in case you glitched somewhere, your wrong traffic won't leak out;
also disables transit stealing by static routing)
- inbound: disallow your own singlehomed addresses as source
FWIW, we've done both of these successfully for quite some time now.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings