Re: (PM) Nailing spoofers
Kevin Kadow (kadokev@ripco.com)
Fri, 31 Jul 1998 18:03:00 -0500 (CDT)
> On Fri, 31 Jul 1998, Curtis Coleman wrote:
> > o Implementation of automatic filtering on remote access servers.
> > In most cases, a user dialing into an access server is an
> > individual user on a single PC. The ONLY valid source IP address
> > for packets originating from that PC is the one assigned by the
> > ISP (whether statically or dynamically assigned). The remote
> > access server could check every packet on ingress to ensure the
> > user is not spoofing the source address on the packets which he
> > is originating. Obviously, provisions also need to be made for
> > cases where the customer legitimately is attaching a net or
> > subnet via a remote router, but this could certainly be
> > implemented as an optional parameter. We have received reports
> > that some vendors and some ISPs are already starting to
> > implement this capability.
>
> The best, easiest (for the ISP) way to do this is to have a setting in
> the Radius database like "ANTI-SPOOFING = ON" which makes the PM block
> outgoing packets unless they come from an IP that is being *routed* to
> that port. That way if you assign static routes or radius assigned
> routes, it works automaticly. Working transparently with ChoiceNet
> would be a plus too.
That's a lot of thought to ask of the little 80x86 processor in a PM...
IMHO, I'd rather see the portmaster just translate '255.255.255.254' anywhere
it appears in a filter into the Assigned-IP address as the filter is being
evaluated against a packet.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>