> Good news.
> One more question (just is there is someone from the CISCO) - what's
> about source-address filtering at default for the access servers/routers?
> Note all this problems (SMURF, DENIAL-ATTACK, DNS-FRAUDING, etc etc) can
> be 100% blocked if ISP would not allow it's customers to send IP packets
> with the wrong SRC address. If not, they (hackers) should found new, new
> and new tricks to fraud any IP network.
You can apply the RPF idiom from multicast to block unicast
flooding. This would instantly solve the problem, though I am
not sure what overhead the path evaluation would incur.
it sounds a good idea but is it possible?
I don't think cisco can filter by wrong SRC address bases.
you still can use still use any ip on the same segment.
(Big deal, huh? )
Furthermore, it will cause some problem for Mobile IP stuff,
if I remember correctly.
CISCO can filter by any SRC address. The only question I am asking every
time is _would CISCO can do it by default and by direct routing tables?_.
THis means something like:
ip src-filtering selfpaths
and that means _packet from interface xxx should be received ONLY if SRC
address should be routed to the same interface_ (if you have
188.8.131.52/24 network statically routed to your interface, and address
184.108.40.206/30 on this interface, you can only send packets with the SRC
addresses 220.127.116.11/24 and 18.104.22.168/30.
And it's important to understand _IT SHOULD BE DEFAULT BEHAVIOUR ON THE
ACCESS SERVERS_ (may be controlled by some extra comman), so that any
(even dumb) network administrators could use this property withouth extra