lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405261744.i4QHiG7c025893@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Odd packet? 

On Wed, 26 May 2004 13:16:52 EDT, you said:
> Well, when you're cranking gigabits sometimes those little checks can 
> become a bottleneck.

Especially on older Cisco gear.  However, it's been a few years since
their stuff wasn't able to do at least basic filtering at line speed (and Juniper
has always been good at line-rate stuff).  I haven't heard if the newly
announced Ciscos are able to do filtering on their OC768 interfaces at
line rate...

> Besides, safe routing begins at home.  If end-users (or endpoints) would 
> do ingress/egress filtering, there wouldn't be a problem.  I'm not so 
> certain we should place the blame on the core backbone for passing the 
> packets it is sent without alteration.

Everybody agrees that it's painful to do it in the core, simply because UPRF
doesn't work well with the asymmetric routing that BGP sometimes
hands you - and the alternative isn't pretty when the default-free zone is
sitting at some 110K routes... ;)

On the other hand, not doing URPF or equivalent at the ISP's edge router to a
single-homed customer is pretty lame.  Considering that some 30% of the traffic
that arrives at the root nameservers has source addresses in RFC1918 space,
there's a LOT of broken NAT configs that are spewing and a LOT of broken ISPs
that aren't doing bogon filtering....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040526/6ecec425/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ