You are here: Home > Participate > Join a Discussion > Mailman Archives

Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

On Mon, 16 Oct 2006, Martin Hannigan wrote:
Clearly, BCP 38 is called for so I'll start here. My interpretation of it is applied to ingress traffic.
Most importantly, yes, but filtering can also be applied (in addition 
to ingress traffic) for peering/upstream egress traffic.  See 
draft-savola-rtgwg-backbone-attacks-02.txt.  This helps in ensuring 
that no spoofed traffic escapes your network and that your peers don't 
steal transit by static routing etc.
3. Is there any common breakdown in the network that folks have seen? "Woops!"
 so to speak..
I've seen Cisco's CEF breaking a couple of times, causing e.g., 50% 
packet drop.  A recent case (AFAIR) was that an unrelated interface 
was removed and as a result 50% of packets (two upstream links) from a 
CEF/uRPF enabled interface were dropped.  Clearing CEF or toggling 
uRPF on and off fixes these kinds of problems but it's unfortunate 
that Cisco can't get this basic stuff right.
4. Anyone have any problem using this page as a reference for the implementation
 reference as well as the BCP?
Infrastructure protection ACLs is just a subset of spoofing 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings