|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN floods (was: does history repeat itself?)
At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote: >Alex.Bligh writes: >> I think you are talking about filtering inbound packets to your >> router and restricting them to BGP announcements (I don't >> think Avi was - see below). This would be done on the destination >> address (checking it was within your announced route set) and >> thus doesn't help protect against spoofed source addresses. > >No, Justin's talking about filtering _customers'_ packets at Justin's >border with the customer. No BGP involved. This assumes customers that >are not providers (ie, no transit for other nets through the customer). >Good enough if all providers do the right thing (or if almost all do). > >What Justin meant about his BGP announcements was that a customer's >packet is legal IFF Justin's announcing that packet's net by BGP (on >_behalf_ of the customer, not _to_ the customer). Again, customer means >a site that's not a BGP peer. Actually what Justin was talking about is as follows... Justin will only allow packets out of his border routers /to/ peers if they are packets with a source address inside the ranges of addresses he announces via BGP. I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a packet with an address of 192.1.1.1 out of my network into "the net at large" but not if the packets source address was 192.1.2.1. I will allow any packet which I allow to enter my network into a customer's network. Their filtering is their problem. Justin Newton Internet Architect Erol's Internet Services - - - - - - - - - - - - - - - - -
|