Actions to quiet the Smurf amplifiers?

it's a CC feature in the 11.1 train, it's been mentioned before,
and should be applied per-interface.

The reverse-path check is best applied at the CPE router or the access
router, not in your backbone. If you end up with asymmetric routing (a
common occurrence these days) there may not be a reverse path for that
packet you just got from your neighbor and (plop) a valid packet (or
thousand) get dropped when they should not have been.

I also don't think it's such a hot idea to be universally filtering
"n.n.n.255" without explicit prior knowledge of the netmask of the network
involved. Apple Computer, for example, used a 14 bit subnet mask on net 17
and we used every address in the 10-bit host space that was available to
use with that scheme, including the three where the last octet is 255. Make
certain that all your customers know that you're doing this - otherwise
they may be puzzling over why connectivity works from every address in
their net number, except for one or two...

  Erik <>

Check the whitepaper at:

It's got some reverse-path and ingress/egress filtering write-ups.


I was one of the participants in the last war on this topic here, and I
feel the need to point out that I read him as saying he _ingress_
filtered 255, not egress filtered it.

He can be expected to know if his own internal network has any non
broadcast .255's, I'd think.

(He wasn't a reseller, was he? :-})

-- jra