The second principle is to implement BCP38 and this is unicast reverse path
forwarding which means deny outbound
traffic from customers which has spoofed
source addresses. We should only be
allowing traffic from IP address space
that's assigned to a customer's out from
these customer links. Everything else is
spoofed or faked, what you have and
should be dropped. So the advice and the
simple technique is to implement uRPF
on all single home customer facing interfaces.
It's much cheaper to do this
in terms of CPU and RAM than
implementing packet filters. We describe
uRPF in more detail elsewhere in this series.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.