Re: [spoofing-tf] HOWTO draft


El 14/09/2006, a las 7:25, Pekka Savola escribió:

On Wed, 13 Sep 2006, Juan P. Cerezo wrote:

4.2.1.	 Filtering prefixes

- What to filter

==> why do you recommend filtering only bogon prefixes? That's pretty useless in the grand scheme of spoofing. The more important issue is filtering out addresses which have been spoofed to be from someone else's address space.

Whe don't recommend ONLY to filter bogon prefixes. Looking at the examples (and this is a howto) you can see that whe filter bogon prefixes and other addresses known to be invalid (our own address in incoming traffic, NOT our own address in outgoing traffic, etc.)

==> I'd also recommend applying filtering at your peering/upstream edges: - outbound: allow out only valid addresses you give transit for (just in case you glitched somewhere, your wrong traffic won't leak out; also disables transit stealing by static routing)
 - inbound: disallow your own singlehomed addresses as source

That is also included in the document.


Fernando Garcia           |Tel: +34 91 4359687
EUROCOMERCIAL I&C SA      |Fax: +34 91 4313240
Valentín Beato, 5         |e-mail: fgarcia@localhost
E-28037 Madrid            |
Spain                     |