No information is available for this file.
04531e74d75090946e531a9a0349be01c7e3972329c0d222bb2163b9c82ed8e4
IP spoofing on Cisco IOS 10.2
Hi Paul, I have several follow-up queries embedded below. Later, Ken H.
---------------------------------------------------------------------------
Kenneth M. Hays, Assistant Director hays@scri.fsu.edu
Supercomputer Computations Research Institute aka kmh8 at the NIC
Florida State University voice=904-644-7053
400 Dirac Science Center Library fax=904-644-0098
Tallahassee, Florida 32306-4052
----------------------------------------------------------------------------
--------------- Prompting Message Fragment Follows ---------------
Paul Ferguson wrote on 30-Apr-96 at 11:21:28 -0400, in part:
>Regardless of whether you're using 10.2 or 10.3, defeating IP spoofing
>is a pretty trivial thing to accomplish. All you need to do is configure
>an access list that explicitly denies packets destined for a specific
>(sub)network which claim to have originated from the same (sub)network.
>
>There are basically two ways to do this; on the inbound path and on the
>outbound path.
>
>
> | +--+
> | b| +--<---
> +--+ |a
> | | |
> | +--+
> |
> ethernet 192.1.1.0
>
>
>[inbound]
>
>interface Ethernet0
>ip address 192.1.1.0 255.255.255.0
>
>interface Serial0
>ip address 192.1.2.0 255.255.255.0
>ip access-group 1 in
I thought the access-group should reference the access list. As in
ip access-group 100 in
^^
Comment ?
>
>access-list 100 deny 192.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255
I expected a "deny" of traffic with any destination address claiming
to be sourced from the "IP subnet assigned to the ethernet" as in -
access-list 100 deny 192.1.1.0 0.0.0.255 0.0.0.0 255.255.255.255
match any destination address ^^^^^^^^^^^^^^^^^^^^^^^
Comment ?
>access-list 100 permit 0.0.0.0 255.255.255.255 192.1.1.0 0.0.0.255
>
>[outbound]
>
>interface Ethernet0
>ip address 192.1.1.0 255.255.255.0
>ip access-group 1 out
I thought the access-group should reference the access list. As in
ip access-group 100 in
^^
Comment ?
>
>interface Serial0
>ip address 192.1.2.0 255.255.255.0
>
>access-list 100 deny 192.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255
I expected a "deny" of traffic with any source address claiming
to be destined for the "IP subnet assigned to the ethernet" as in -
access-list 100 deny 0.0.0.0 255.255.255.255 192.1.1.0 0.0.0.255
match any source addr ^^^^^^^^^^^^^^^^^^^^^^^
Comment ?
>access-list 100 permit 0.0.0.0 255.255.255.255 192.1.1.0 0.0.0.255
>
>[snip]
>
>- paul
..omitted text