Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Odd packet?
Date: Wed May 26 2004 - 12:44:16 CDT
On Wed, 26 May 2004 13:16:52 EDT, you said:
> Well, when you're cranking gigabits sometimes those little checks can
> become a bottleneck.
Especially on older Cisco gear. However, it's been a few years since
their stuff wasn't able to do at least basic filtering at line speed (and Juniper
has always been good at line-rate stuff). I haven't heard if the newly
announced Ciscos are able to do filtering on their OC768 interfaces at
> Besides, safe routing begins at home. If end-users (or endpoints) would
> do ingress/egress filtering, there wouldn't be a problem. I'm not so
> certain we should place the blame on the core backbone for passing the
> packets it is sent without alteration.
Everybody agrees that it's painful to do it in the core, simply because UPRF
doesn't work well with the asymmetric routing that BGP sometimes
hands you - and the alternative isn't pretty when the default-free zone is
sitting at some 110K routes... ;)
On the other hand, not doing URPF or equivalent at the ISP's edge router to a
single-homed customer is pretty lame. Considering that some 30% of the traffic
that arrives at the root nameservers has source addresses in RFC1918 space,
there's a LOT of broken NAT configs that are spewing and a LOT of broken ISPs
that aren't doing bogon filtering....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.