Ingress filtering

From BCP38
Jump to: navigation, search

BCP38 is mainly about the use of ingress filtering to block forged IP packets, that is: filtering applied where packets come into a network, usually one operated by a commercial provider who specializes in that service.

Why not block where packets leave a network -- called egress filtering?

Well, you can do that too, but that is necessarily under the control of the person who operates that machine or network -- and they may be, purposefully or by accident -- the Bad Actor you're trying to protect the Internet against; leaving the filtering up to them guarantees that the actual Bad Guys won't do it.

Egress filtering, applied, say, in a CPE router, can in fact do some good, filtering forged attack packets which might come from a trojan-horse program which a user doesn't know is on his or her computer, but overall, while useful, it is not as important as convincing commercial network providers, both transit and providers to end users -- like Road Runner, Comcast, U-Verse, and the like -- to implement ingress filtering wherever possible.

If you operate a large, but still end-user network, as many colleges and larger business enterprises do, you may find it useful to do both: egress filter at your edge routers, and ingress filter at your incoming connection aggregators, if you can.

Personal tools