You are here: Home > Participate > Join a Discussion > Mailman Archives

Re: [spoofing-tf] HOWTO draft


El 14/09/2006, a las 7:25, Pekka Savola escribió:

On Wed, 13 Sep 2006, Juan P. Cerezo wrote:
4.2.1.	 Filtering prefixes

- What to filter

==> why do you recommend filtering only bogon prefixes? That's pretty useless in the grand scheme of spoofing. The more important issue is filtering out addresses which have been spoofed to be from someone else's address space.
Whe don't recommend ONLY to filter bogon prefixes. Looking at the  
examples (and this is a howto) you can see that whe filter bogon  
prefixes and other addresses known to be invalid (our own address in  
incoming traffic, NOT our own address in outgoing traffic, etc.)
==> I'd also recommend applying filtering at your peering/upstream edges: - outbound: allow out only valid addresses you give transit for (just in case you glitched somewhere, your wrong traffic won't leak out; also disables transit stealing by static routing)
 - inbound: disallow your own singlehomed addresses as source
That is also included in the document.


Fernando Garcia           |Tel: +34 91 4359687
EUROCOMERCIAL I&C SA      |Fax: +34 91 4313240
Valentín Beato, 5         |e-mail: [email protected]
E-28037 Madrid            |
Spain                     |