[j-nsp] Using routing policy in firewall filters

[Stefan Fouant]

If you are just worried about ensuring that traffic is sourced from
the appropriate locations (and external sources are not spoofing your
own customer space), wouldn't uRPF fit the bill?

Just a thought...

On Fri, Jul 11, 2008 at 1:14 PM, David Ball <davidtball at gmail.com> wrote:
>  I'm worried more about people on the internet spoofing my customer
> space INbound into our network.  We have multihomed customers whose
> space would need to be allowed to be sourced from the internet, but
> most of our customers space should only be sourced from inside our
> network.
>
> David
>
>
> On 11/07/2008, Eugeniu Patrascu <eugen at imacandi.net> wrote:
>> David Ball wrote:
>>>   Hey folks.  They say the definition of insanity is repeating the
>>> same thing over and over and expecting different results, and again I
>>> found myself trying to use routing policy in a firewall filter,
>>> unsuccessfully.
>>>   We have 4 upstream ISPs, 2 on 1 router and 2 on another.  Until now
>>> we've had to maintain large prefix-lists including all customer blocks
>>> on both routers such that they can be applied to firewall filters to
>>> perform anti-spoofing.  I'm trying to find a way to simplify this,
>>> such that if my provisioning guys add a new customer who has their own
>>> block, the anti-spoofing rules filtering inbound internet traffic will
>>> allow it.
>>>   What are other folks doing?  Prefix-list maintenance is the only way
>>> ?  I get the feeling this question has been asked before, but I
>>> couldn't find it.
>>>
>> Isn't it enough for you to enable unicat reverse path verify on the
>> routers so that clients can't spoof packets ?
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D