Hi, On Thu, Sep 02, 1999 at 11:46:02AM +0100, Leigh Porter wrote:
As a side note, does anybody use anything to prevent address spoofing in their network? That would at prevent a lot of attacks completly and make tracing the rest much easier.
Sure we do.
On our ingress interfaces to our customers, we have very strict access lists ("permit ip <customer net> any / deny ip any any log").
How do you manage large BGP customers with lots of networks?
Hmmm, I have to admit that I don't - we're not THAT large yet, so our BGP customers are usually pretty small and only have two or three network blocks, so filtering is feasible. (As I filter their BGP announcements anyway, adding the networks to the incress access-list isn't much more effort).
I would also be interested to know performance hits on the routers for this.
The access lists per interface are usually no longer than up to 10 lines, and the routers seem to manage fine.
I do recall soemthing Cisco implemented that checked you have a route back to any source address that comes in on a suitably configured interface else it'll drop the packet as being spoofed, this soulds good - anybody tried it?
This is in IOS 12.0, and you need to have CEF enabled to use it. As our production routers don't use IOS 12 yet, I haven't tried it. It would certainly be very nice. Gert Doering -- NetMaster -- SpaceNet GmbH Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299