On Thu, Aug 23, 2001 at 07:18:35PM -0400, Adam William Lydick wrote: > On Thu, 23 Aug 2001, Nathan E Norman wrote: > > When I worked at an ISP, I liked to bring up security issues. > > [snip] > > > replies to other customers, filter rfc1918 addresses at the gateway to > > prevent those addresses from accessing the internet, filtering source > > addresses not in our netblocks from accessing the internet, filtering > > incoming traffic with source addresses in our netblocks, etc). > > That's not too bad, actually. I've never used an ISP that did > egress/ingress filtering :) That cuts down on a good bit of garbage that > can go on, although it doesn't save you from your neighbors or people who > are bouncing to attack or are too stupid to known/care. > > Out of curiosity, how much load did that filtering but on the routers? > The common argument I've heard against doing the filtering is that it > requires using the "slow path" on the router, and you can't handle as much > load / router (more expensive). Is this accurate? If your router is underpowered I suppose traffic could be impacted ... the router in question (the Internet access router) was a Bay BCN and had plenty of cycles to burn on a little filtering :) I'd say at most the load increased by 5%. I never could see any impact on latency. These days it's hard to run an ISP without at least filtering at your Internet access point(s) ... you're simply asking for trouble if you allow outbound traffic with source addresses from rfc1918 or netblocks not inside your network. Ditto with inbound traffic with source addresses from rfc1918 or your own netblocks. If you're an ISP and your Internet access router can't handle filtering the traffic load, what are you going to do when someone decides to attack your servers (or your customers)? -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgpdKXAm5pyRk.pgp
Description: PGP signature