RFC 3704:Ingress Filtering for Multihomed Networks
RFC-Ref

6. Conclusions and Future Work

   This memo describes ingress filtering techniques in general and the
   options for multihomed networks in particular.

   It is important for ISPs to implement ingress filtering to prevent
   spoofed addresses being used, both to curtail DoS attacks and to make
   them more traceable, and to protect their own infrastructure.  This
   memo describes mechanisms that could be used to achieve that effect,
   and the tradeoffs of those mechanisms.

   To summarize:

   o  Ingress filtering should always be done between the ISP and a
      single-homed edge network.

   o  Ingress filtering with Feasible RPF or similar Strict RPF
      techniques could almost always be applied between the ISP and
      multi-homed edge networks as well.

   o  Both the ISPs and edge networks should verify that their own
      addresses are not being used in source addresses in the packets
      coming from outside their network.

   o  Some form of ingress filtering is also reasonable between ISPs,
      especially if the number of prefixes is low.

   This memo will lower the bar for the adoption of ingress filtering
   especially in the scenarios like asymmetric/multihomed networks where
   the general belief has been that ingress filtering is difficult to
   implement.

   One can identify multiple areas where additional work would be
   useful:

   o  Specify the mechanisms in more detail: there is some variance
      between implementations e.g., on whether traffic to multicast
      destination addresses will always pass the Strict RPF filter or
      not.  By formally specifying the mechanisms the implementations
      might get harmonized.

   o  Study and specify Routing Information Base (RIB) -based RPF
      mechanisms, e.g., Feasible Path RPF, in more detail.  In
      particular, consider under which assumptions these mechanisms work
      as intended and where they don't.

   o  Write a more generic note on the ingress filtering mechanisms than
      this memo, after the taxonomy and the details or the mechanisms
      (points above) have been fleshed out.

   o  Consider the more complex case where a network has connectivity
      with different properties (e.g., peers and upstreams), and wants
      to ensure that traffic sourced with a peer's address should not be
      accepted from the upstream.

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org