[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405261744.i4QHiG7c025893@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Odd packet?
On Wed, 26 May 2004 13:16:52 EDT, you said:
> Well, when you're cranking gigabits sometimes those little checks can
> become a bottleneck.
Especially on older Cisco gear. However, it's been a few years since
their stuff wasn't able to do at least basic filtering at line speed (and Juniper
has always been good at line-rate stuff). I haven't heard if the newly
announced Ciscos are able to do filtering on their OC768 interfaces at
line rate...
> Besides, safe routing begins at home. If end-users (or endpoints) would
> do ingress/egress filtering, there wouldn't be a problem. I'm not so
> certain we should place the blame on the core backbone for passing the
> packets it is sent without alteration.
Everybody agrees that it's painful to do it in the core, simply because UPRF
doesn't work well with the asymmetric routing that BGP sometimes
hands you - and the alternative isn't pretty when the default-free zone is
sitting at some 110K routes... ;)
On the other hand, not doing URPF or equivalent at the ISP's edge router to a
single-homed customer is pretty lame. Considering that some 30% of the traffic
that arrives at the root nameservers has source addresses in RFC1918 space,
there's a LOT of broken NAT configs that are spewing and a LOT of broken ISPs
that aren't doing bogon filtering....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040526/6ecec425/attachment.bin
Powered by blists - more mailing lists