See RFC2267.

- paul

See RFC2267.

- paul

> Good news.
> One more question (just is there is someone from the CISCO) - what's
> about source-address filtering at default for the access servers/routers?
> Note all this problems (SMURF, DENIAL-ATTACK, DNS-FRAUDING, etc etc) can
> be 100% blocked if ISP would not allow it's customers to send IP packets
> with the wrong SRC address. If not, they (hackers) should found new, new
> and new tricks to fraud any IP network.

You can apply the RPF idiom from multicast to block unicast
flooding. This would instantly solve the problem, though I am
not sure what overhead the path evaluation would incur.


it sounds a good idea but is it possible?
I don't think cisco can filter by wrong SRC address bases.
you still can use still use any ip on the same segment.
(Big deal, huh? :slight_smile: )
Furthermore, it will cause some problem for Mobile IP stuff,
if I remember correctly.



CISCO can filter by any SRC address. The only question I am asking every
time is _would CISCO can do it by default and by direct routing tables?_.
THis means something like:

interface xxx
ip src-filtering selfpaths

and that means _packet from interface xxx should be received ONLY if SRC
address should be routed to the same interface_ (if you have network statically routed to your interface, and address on this interface, you can only send packets with the SRC
addresses and

And it's important to understand _IT SHOULD BE DEFAULT BEHAVIOUR ON THE
ACCESS SERVERS_ (may be controlled by some extra comman), so that any
(even dumb) network administrators could use this property withouth extra