Pat Calhoun writes:
However if you are filtering on your outbound router to the net,
there is still the possbility that a malicious user could spoof
addresses as long as they belong to your address space. By moving the
filter out to the edge (when you have the equipment) this eliminates
that problem as well.
I think thats less of a problem -- spoofing addresses inside the
network narrows down your origin enough that you are very likely to be
caught or shut down quickly. It might have an advantage in stopping
ankle-biter attacks against your own equipment by your users, though.
I think that agressively sanity-filtering the net at all junctions is
probably a good idea in general, though. Would that we had the CPU
(Whats needed, I think, is a cheap box that just does filtering. If
it did it in hardware, it could be very fast (needed for high speed
lines) and possibly even cheap.