On Sat, 9 Jun 2001, Bill Royds wrote: > Note: RFC 2267 has been superseded by RFC 2827 Thanks, I had indeed missed that. > > You are correct, RFC2827 is not a standard but it is a Best Current > Practice (BCP0038) which could be used as a precedent in a lawsuit if > it came to that. RFC2827 is about ingress filtering for backbones > rather than egress filtering for ISP's but the rules are similar. It > is just which side of the peering point you are looking at. Egress > filtering would require a lot less horsepower then ingress filtering > because the border router already has routing tables for what IP > blocks it accepts traffic. Using this on source address of outgoing > traffic adds not much more memory overhead (although it does add more > CPU cost). This is just applying routing rules to outgoing traffic as > well as incoming traffic rather than doing any censoring. > The golden rule of egress filtering: Only allow packets out of your > network with source IP address that you would allow in. > So, since we seem to be in basic agreement here- is there anyone who can come up with a significant impediment to mandatory egress filtering rules other than getting buy-in (ISO layer 8 issues)? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]