Re: [spoofing-tf] HOWTO draft
-
To: Pekka Savola pekkas@localhost
-
From: Fernando García fgarcia@localhost
-
Date: Thu, 14 Sep 2006 08:21:06 +0200
Hello
El 14/09/2006, a las 7:25, Pekka Savola escribió:
On Wed, 13 Sep 2006, Juan P. Cerezo wrote:
4.2.1. Filtering prefixes
- What to filter
==> why do you recommend filtering only bogon prefixes? That's
pretty useless in the grand scheme of spoofing. The more important
issue is filtering out addresses which have been spoofed to be from
someone else's address space.
Whe don't recommend ONLY to filter bogon prefixes. Looking at the
examples (and this is a howto) you can see that whe filter bogon
prefixes and other addresses known to be invalid (our own address in
incoming traffic, NOT our own address in outgoing traffic, etc.)
==> I'd also recommend applying filtering at your peering/upstream
edges:
- outbound: allow out only valid addresses you give transit for
(just in case you glitched somewhere, your wrong traffic won't leak
out; also disables transit stealing by static routing)
- inbound: disallow your own singlehomed addresses as source
That is also included in the document.
Regards
------------------------------------------------
Fernando Garcia |Tel: +34 91 4359687
EUROCOMERCIAL I&C SA |Fax: +34 91 4313240
Valentín Beato, 5 |e-mail: fgarcia@localhost
E-28037 Madrid |
Spain |http://www.eurocomercial.es