Re: Source Address Verification

To: Christian Bailleul <christian.bailleul@siemens.atea.be>
Cc: debian-firewall@lists.debian.org
Subject: Re: Source Address Verification
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Fri, 22 Mar 2002 18:34:19 +0100
Message-id: <[🔎] 20020322173419.GC666@lina.inka.de>
In-reply-to: <[🔎] DjUTRC.A.q1B.wDzm8@murphy>
References: <[🔎] DjUTRC.A.q1B.wDzm8@murphy>

On Fri, Mar 22, 2002 at 02:11:52PM +0100, Christian Bailleul wrote:
> Can anybody explain me what exactly Source Address Verification does.  I know 
> how to set it up and what the purpose is, but how does it actually work ?

Do you mean "back route verify"? In this case it is a simple check: a packet
with a given ip address can only arrive o a given interface, if the network
which originated that package is listed to be reachable over the interface.
Trivial case:

if you receive a packet from 10.0.0.1 on eth1 (internet) the router will
look in it's routing table and find, that 10.0.0.x is connected to eth0
(LAN). In this case he will not process the packet from 10.0.0.1 since he
can be quite shure, that someone on the internat tries to spoof this packet,
cause he does not sit on the lan. This is automatic ingress filtering and
only works in static route situations.

Greetings
Bernd

Reply to:

Follow-Ups:
- Re: Source Address Verification
  - From: Jean-Francois Dive <jef@linuxbe.org>

References:
- Source Address Verification
  - From: Christian Bailleul <christian.bailleul@siemens.atea.be>

Prev by Date: Re: Monitoring bandwidth thru a firewall
Next by Date: Re: Source Address Verification
Previous by thread: Re: Source Address Verification
Next by thread: Re: Source Address Verification
Index(es):
- Date
- Thread