Re: [apnic-talk] NICs and Egress filtering?

To: Geoff Huston <gih@telstra.net>
Subject: Re: [apnic-talk] NICs and Egress filtering?
From: Jeff Williams <jwkckid1@ix.netcom.com>
Date: Tue, 09 Jan 2001 19:45:00 -0800
Cc: Joe Abley <jabley@automagic.org>, Phil Crooker <pcrooker@orix.com.au>, apnic-talk@lists.apnic.net
Organization: INEGroup Spokesman
References: <3A590B78.269A31E7@orix.com.au> <3A590B78.269A31E7@orix.com.au> <4.3.2.7.2.20010110103354.00b81ae0@jumble.telstra.net>
Sender: owner-apnic-talk@lists.apnic.net

Geoff and all,

Geoff Huston wrote:

> "How would they enforce them?"
>
> Good question Joe, and one which I've also thought about without getting
> to any sensible conclusion myself.
>
> Egress filter would ensure that traffic used source addresses consistent
> with routing advertisements (RFC 2827) right?

  IMHO,I believe it would, yes.

>
>
> But surely this would also require that the routing system itself has some
> level of trustable integrity. The issue in my mind is: how is the integrity
> of the routing system managed?

  It really isn't today.  Maybe some day.  And there is one of the problems
with this approach....

>
>
> At 1/7/01 08:52 PM -0500, Joe Abley wrote:
> >On Mon, Jan 08, 2001 at 11:06:08AM +1030, Phil Crooker wrote:
> > > Hi,
> > >
> > > I look after Internet security for our company and have often wondered
> > > ....
> > >
> > > Considering how important egress filtering of spoofed IP addresses in
> > > preventing Distributed Denial Of Service attacks, I was wondering
> > > whether APNIC and the other NICs have considered requiring IP address
> > > holders to apply egress filters on their boundary routers?
> >
> >I think the more usual place to apply filters to catch spoofing is
> >on the ingress to your network, on the customer-facing circuit.
> >Packet filtering is frequently expensive, which is a good reason
> >to push it out to the edge.
> >
> > > It seems to me the major NICs are about the only body that have the
> > > where-with-all to enforce these filters.
> >
> >How would they enforce them?
> >
> >
> >Joe
> >
> >
> >*              APNIC-TALK: General APNIC Discussion List             *
> >* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *
>
> *              APNIC-TALK: General APNIC Discussion List             *
> * To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *

Regards,

--
Jeffrey A. Williams
Spokesman INEGroup (Over 112k members strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number:  972-447-1800 x1894 or 9236 fwd's to home ph#
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208


*              APNIC-TALK: General APNIC Discussion List             *
* To unsubscribe: send "unsubscribe" to apnic-talk-request@apnic.net *

References:
- [apnic-talk] NICs and Egress filtering?
  - From: Phil Crooker <pcrooker@orix.com.au>
- Re: [apnic-talk] NICs and Egress filtering?
  - From: Geoff Huston <gih@telstra.net>

Prev by Date: Re: [apnic-talk] NICs and Egress filtering?
Next by Date: Re: [apnic-talk] NICs and Egress filtering?
Previous by thread: RE: [apnic-talk] NICs and Egress filtering?
Next by thread: [apnic-talk] [apnic-announce] APNIC MEETING UPDATE AND CALL FOR NOMINATIONS TO THE EXECUTIVE COUNCIL
Index(es):
- Date
- Thread