Re: [apnic-talk] NICs and Egress filtering?

To: Phil Crooker <pcrooker@orix.com.au>
Subject: Re: [apnic-talk] NICs and Egress filtering?
From: Philip Smith <pfs@cisco.com>
Date: Tue, 09 Jan 2001 09:48:27 +1000
Cc: apnic-talk@lists.apnic.net
In-reply-to: <3A590B78.269A31E7@orix.com.au>
Sender: owner-apnic-talk@lists.apnic.net

While it is an admirable thought, I think it would be stepping on dangerous 
ground if the registeries got involved in what ISPs did or did not do. The 
registries, afterall, are only there to ensure the fair and reasonable 
distribution of IP address space and AS numbers.

There are various RFCs (and BCP documents) produced by the community which 
aim to provide all ISPs and end sites with the correct advice on how to go 
about connecting to the Internet. You probably know about 
http://www.denialinfo.com, which is probably one of the better places to 
start looking for Internet security advice...

However, it is reasonable for APNIC's routing special interest group to 
take the idea on, and produce a set of recommendations for the APNIC 
membership, and further afield. The RIPE Working Groups operate on a 
similar model, and have produced several valuable documents.

Maybe something to suggest at the APNIC members meeting at the end of 
APRICOT? Or something for the APNIC Routing SIG meeting the day before?

philip
--

At 11:06 08/01/2001 +1030, Phil Crooker wrote:
>Hi,
>
>I look after Internet security for our company and have often wondered
>....
>
>Considering how important egress filtering of spoofed IP addresses in
>preventing Distributed Denial Of Service attacks, I was wondering
>whether APNIC and the other NICs have considered requiring IP address
>holders to apply egress
>filters on their boundary routers?
>
>It seems to me the major NICs are about the only body that have the
>where-with-all to enforce these filters.  Once done, we would not only
>eliminate DDOS attacks but also make DOS trackable, eliminate spam
>spoofing and hacker techniques that use spoofing.
>
>I guess the main problem would be how to test for it externally.
>
>Anyone care to comment?
>
>regards,
>--
>
>Phil Crooker            ORIX Australia                  61 8 8443 6844
>UNIX SysAdmin           pcrooker@orix.com.au            61 8 8443 6955 (fax)
>
>*              APNIC-TALK: General APNIC Discussion List             *
>* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *

*              APNIC-TALK: General APNIC Discussion List             *
* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *

Follow-Ups:
- Re: [apnic-talk] NICs and Egress filtering?
  - From: Phil Crooker <pcrooker@orix.com.au>

References:
- [apnic-talk] NICs and Egress filtering?
  - From: Phil Crooker <pcrooker@orix.com.au>

Prev by Date: Re: [apnic-talk] NICs and Egress filtering?
Next by Date: Re: [apnic-talk] NICs and Egress filtering?
Previous by thread: Re: [apnic-talk] NICs and Egress filtering?
Next by thread: Re: [apnic-talk] NICs and Egress filtering?
Index(es):
- Date
- Thread