kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (05/10/89)
In article <May.8.20.16.01.1989.6980@geneva.rutgers.edu> hedrick@geneva.rutgers.edu (Charles Hedrick) writes: >... I now believe that if you're going to depend upon IP source >addresses (and from a practical point of view that may still be the >only tool some of us have), you should set up your gateways to compare >the claimed IP source address with the actual packet source. E.g. >Rutgers might set up all exterior gateways to reject packets coming >from the outside with source addresses of 128.6.x.x (our class B >address). Similarly, the CS department might reject all packets >physically from outside our department with a source address on one of >our departmental networks. Is this filtering fairly efficient on your cisco routers? Seems to me it would be a one line access list. Potentially very efficient. I had been thinking that if you implement a spanning tree router topology on your campus (typical spine with subnet branches) that you could harmlessly reject all source addresses received at the subnet gateway that did not originate from that particular attached subnet using an access list essentially in the same way you filter from the outside. Then, with a secure ARP table in your gateway (possibly built using SNMP?) you could avoid most if not all source address masquerading. Am I missing anything? Of course, the attacker may now shift to a routing attack, network management attack, or crack the root password on the routers, but straightforward source masquerading is thwarted.