BCP38 is not just for IPv4
Mikael Abrahamsson
swmike at swm.pp.se
Thu Mar 28 12:44:04 CET 2013
On Thu, 28 Mar 2013, Phil Mayers wrote:
> I am curious to know if people are using "second best" spoof protections
> of having a single big egress ACL at the points leaving their network
> containing all expected source addresses, or even if they're doing both.
I know of all variants. Some people will do SAVI style DHCPv4 based
antispoofing at the customer access port. Some will do /26 (or whatever)
based filtering on the access router where ~60 customers are aggregated
(perhaps uRPF). Some will do this egress on their upstream pipe. Some do
nothing at all and then hopefully their upstream will do uRPF. Sometimes
this doesn't happen either.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops
mailing list