[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-grip-isp-00.txt now available
- To: grip-wg@UU.NET
- Subject: Re: draft-ietf-grip-isp-00.txt now available
- From: Tom Killalea <tomk@nwnet.net>
- Date: Wed, 29 Oct 1997 15:34:27 -0800
- Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
In the light of comments on Source Address Filtering I've rewritten
section 4.2 as follows (and made the title more appropriate - I now deal
with real route filtering in section 5).
4.2 Ingress Filtering on Source Address
Attackers frequently cover their tracks by using forged source
addresses. To divert attention from their own site the source
address they choose will generally be from an innocent remote site or
indeed from those addresses that are allocated for private Internets
[RFC1918]. In addition, forged source addresses are frequently used
in spoof-based attacks in order to exploit a trust relationship
between hosts.
To prevent attacks that rely on forged source addresses ISPs should do
the following. At the boundary router with each of their customers
they should proactively filter all traffic coming from the customer
that has a source address of something other than the addresses that
have been assigned to that customer.
In addition, ISPs should filter (and optionally log) all traffic with
source addresses from the address space allocated for private
Internets.
There are circumstances where ingress filtering is not currently
possible, for example on large aggregation routers that cannot take
the additional load. In addition, such filtering can cause difficulty
for mobile users. Hence, while the use of this technique to prevent
spoofing is strongly encouraged, I realise that it is not always
feasible.
Tom.
--
Tom Killalea (425) 649-7417 NorthWestNet
tomk@nwnet.net