It is usually appropriate for an antispoofing access list to filter out all ICMP redirects regardless of source or
destination address. These are just basic guidelines and can be further fine-tuned with other filtering such as
anti-bogon, traffic claiming to be sourced from reserved addresses, or from an IPv4 block that has yet to be
allocated by IANA.
In general, antispoofing filters are best deployed as input access lists; that is, packets must be filtered at the
arriving interfaces, not at the interfaces through which they exit the router. The input access list also protects
the router itself from spoofing attacks, whereas an output list protects only devices behind the router.
Antispoofing with uRPF
Unicast Reverse Path Forwarding (uRPF) is another common technique used to mitigate source address
spoofing. When uRPF is used, the source address of IP packets is checked to ensure that the route back to the
source uses the same interface that the packet arrived on. If the input interface is not a feasible path to the
source network, the packet will be dropped. The uRPF feature is discussed later in this chapter.
Antispoofing with IP Source Guard
IP Source Guard is a Layer 2 security feature that prevents IP spoofing attacks by restricting IP traffic on
untrusted Layer 2 ports to clients with an assigned IP address.
Pages:
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370