denied NS/IN
Niall O'Reilly
Niall.oReilly at ucd.ie
Wed Jan 21 18:05:24 UTC 2009
On Wed, 2009-01-21 at 12:44 +1100, Mark Andrews wrote:
> You should talk to your ISP to chase the traffic back to
> its source and get BCP 38 implemented there. BCP 38 is ~10
> years old now. There is no excuse for not filtering spoofed
> traffic.
Absolutely.
Putting myself at the other end of the telescope, I'm wondering
what tools (if any) are available for verifying that the ingress
filtering actually in place is indeed compliant with BCP 38.
I try to be conscientious, but drawing valid conclusions from
visual inspection of the ACLs is already a challenge for my
domestic network (3 LANs and an upstream). Enterprise (even
with only one upstream) or ISP networks are likely more
difficult to verify.
Pointers for my next RTFM binge are welcome. Further discussion
is probably off-topic for the bind-users list.
/Niall
More information about the bind-users
mailing list