network
Click on the red underlined text to get to the source
... traffic with spoofed addresses
access to the network, and to help ensure that traffic is traceable
to its correct source network ...
... network, and to help ensure that traffic is traceable
to its correct source network. As a side effect of protecting the
Internet against such attacks ...
... Internet against such attacks, the network implementing the solution
also protects itself from this and other attacks, such as spoofed
...
... traffic by
dropping traffic entering their networks that is coming from a source
address not legitimately in use by the customer network. The
...
... traffic entering their networks that is coming from a source
address not legitimately in use by the customer network. The
filtering includes but is in no way limited to the traffic ...
... random number is deterministically within the target
network, simultaneously attacking one or more machines and causing
those machines to attack others with ICMP messages ...
... can be suppressed before it does significant damage, and attacks can
be readily traced back to at least their source networks.
This document is aimed at ISP ...
... This document is aimed at ISP and edge network operators who 1) would
like to learn more of ingress filtering methods ...
... filter that checks the source address of
every message received on a network interface against a list of
acceptable prefixes, dropping any packet that does not match the
...
... Reverse Path Forwarding is a very reasonable approach in front
of any kind of edge network; in particular, it is far superior to
Ingress Access Lists when the network edge ...
... edge network; in particular, it is far superior to
Ingress Access Lists when the network edge is advertising multiple
prefixes ...
... the other deterministically follow the same path. While this is
common at edge network interfaces to their ISP, it is in no sense
common between ISPs ...
... multihoming at the edge of
the network, this approach provides a way to relatively easily
address the biggest problems of Strict RPF ...
... sacrifices directionality, it loses the ability to limit an edge
network's traffic to traffic legitimately sourced from that network ...
... network's traffic to traffic legitimately sourced from that network,
in most cases, rendering the mechanism useless as an ingress
filtering mechanism.
...
... RPF could be used as a form
of contract verification: the other network is presumably certifying
that it has provided appropriate ingress filtering rules, so the
...
... that it has provided appropriate ingress filtering rules, so the
network doing the filtering need only verify the fact and react if
any packets which would show a breach in the contract are detected.
...
... sacrifices directionality, it loses the ability to limit an edge
network's traffic to traffic legitimately sourced from that network ...
... routers
connecting LANs to an enterprise network, etc. -- this increases the
defense in depth.
...
... First, one must ask why a site multihomes; for example, the edge
network might:
o use two ISPs ...
... One can imagine a number of approaches to working around the
limitations of ingress filters for multihomed networks. Options
include:
...
... filter at all essentially trusts the
downstream network to behave itself, which is not the wisest course
of action. However, especially in the case of very large networks of
...
... downstream network to behave itself, which is not the wisest course
of action. However, especially in the case of very large networks of
even hundreds or thousands of prefixes, maintaining manual access-
...
... RPF does not seem like a good choice between the
edge network and the ISP, since it loses the directionality of the
test. This argues in favor of either using a complete filter ...
... network that packets
the upstream network will reject will never reach it.
Therefore, the use of Loose RPF ...
... routing. This will often require the
edge network to use provider-independent prefixes and exchange routes
...
... ISPs. Of necessity, this implies that the edge
network will be of a size and technical competence to qualify for a
separate address assignment ...
... This is not a complicated procedure, but requires careful planning
and configuration. For robustness, the edge network may choose to
connect to each of its ISPs through two or more different Points of
...
... Ingress filtering is typically performed to ensure that traffic
arriving on one network interface legitimately comes from a computer
residing on a network reachable through that interface ...
... arriving on one network interface legitimately comes from a computer
residing on a network reachable through that interface.
...
... RPF check is a very easy and sure way to implement ingress
filtering. It is typically fit between the edge network and the
ISP. In many cases, a simple strict RPF ...
... interfaces it can only be used as a contract
verification, that the other network has performed at least some
ingress filtering.
...
... by an ISP towards an edge network, there don't seem to be many
reasons why a stricter form of ingress filtering would not be
...
... This memo describes ingress filtering techniques in general and the
options for multihomed networks in particular.
It is important for ISPs ...
... o Both the ISPs and edge networks should verify that their own
addresses are not being used in source addresses ...
... addresses are not being used in source addresses in the packets
coming from outside their network.
o Some form of ingress filtering ...
... This memo will lower the bar for the adoption of ingress filtering
especially in the scenarios like asymmetric/multihomed networks where
the general belief has been that ingress filtering is difficult to
...
... (points above) have been fleshed out.
o Consider the more complex case where a network has connectivity
with different properties (e.g., peers and upstreams), and wants
to ensure that traffic ...
... Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address ...