Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

[Pekka Savola pekkas@localhost]

On Mon, 16 Oct 2006, Martin Hannigan wrote:
> Clearly, BCP 38 is called for so I'll start here. My interpretation 
> of it is applied to ingress traffic.
Most importantly, yes, but filtering can also be applied (in addition 
to ingress traffic) for peering/upstream egress traffic.  See 
draft-savola-rtgwg-backbone-attacks-02.txt.  This helps in ensuring 
that no spoofed traffic escapes your network and that your peers don't 
steal transit by static routing etc.
> 3. Is there any common breakdown in the network that folks have seen? 
> "Woops!"
>  so to speak..
I've seen Cisco's CEF breaking a couple of times, causing e.g., 50% 
packet drop.  A recent case (AFAIR) was that an unrelated interface 
was removed and as a result 50% of packets (two upstream links) from a 
CEF/uRPF enabled interface were dropped.  Clearing CEF or toggling 
uRPF on and off fixes these kinds of problems but it's unfortunate 
that Cisco can't get this basic stuff right.
> 4. Anyone have any problem using this page as a reference for the 
> implementation
>  reference as well as the BCP?
>
> http://www.cisco.com/warp/public/707/iacl.html
Infrastructure protection ACLs is just a subset of spoofing 
protection.
--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings