More on ingress filtering

I'd encourage folks to read the draft that Paul Fergusen and I have
written on this subject. We talk about some things that COULD be
implemented that would greatly help with source address problems.

One of these would be a change to your remote access servers, and would
be quite straightforward for vendors to implement:

For DIALUP users, provide an option (would need to be per user) to
require the packets arriving from that dialup user have the IP address
that was assigned by the RAS server when the user dialed up. At modem or
ISDN speeds, the packet rate is QUITE low, and this filtering should NOT
be a CPU overhead problem. A SINGLE compare of a 32 bit integer is ALL
we're talking about here.

The reason to make this configurable per-user is to allow dialups by
remote routers that are routing separate nets or subnets behind them. In
those cases, a more complex filter would be desirable, but perhaps
somewhat less necessary. It is my suspicion that a vast majority of the
intentional source IP address trouble comes from dialup users who can
leap from provider to provider.

Filtering should be done as close to the actual customers as possible. I
do understand the difficulty with the present core routing equipment
when trying to filter large amounts of traffic, but that doesn't apply
to routers at the periphery of the net. As someone else suggested, even
if some of the core networks can't do all of their own filtering, they
COULD add that as a requirement for those networks that are fed from
them, and they from their downstreams, etc. until the T1 line, or 56K
leased line, or dialup modem line at the periphery IS FILTERED.

Daniel Senie
OpenROUTE Networks, Inc.