Leigh Porter writes:
On Thu, Sep 02, 1999 at 10:44:39AM +0100, Leigh Porter wrote:
As a side note, does anybody use anything to prevent address spoofing in their network? That would at prevent a lot of attacks completly and make tracing the rest much easier.
Sure we do.
Same here. Both dialup and leased line customer source addresses are strictly verified.
How do you manage large BGP customers with lots of networks?
The access lists are generated from combined sources, amoung them our internal database and the information from RIPE. For an update, the access lists are regenerated and the output is a diff in Cisco format for the bits that changed so that it can be directly copied onto the routers.
I do recall soemthing Cisco implemented that checked you have a route back to any source address that comes in on a suitably configured interface else it'll drop the packet as being spoofed, this soulds good - anybody tried it?
No, but anyway this fails in more complex scenarios where symmetric routing cannot be guaranteed. Robert