Don Lewis has a problem with the following configuration:
net a ---------+
net b ---------+
'How do you prevent forged packets from the internet that have net A
or B as source address'
1) firewall routers must be configured to not honor source routing,
which I assume is done for a correct firewall router
2) if a packet is sent with source address from net a or b from the
internet access (I would prefer to call it 'public', not to give a
bad sound to 'Internet'), an eventual reply will go to net a or b,
not back to the public (his 'internet') access.
One shot is possible.
within an AS, all access points to a public network are known, and
routing loops may of course not occur. there is a risk of course, as
always, to use multiple publicnetwork access points to circumvent
intra AS link failures via a public path. I would never do that,
so that I know that everything with source address net a of net b
stays within net a and net b.
Yes, if you have inside information, you could send some udp. BUT:
all strategical devices, at least within my stuff, are protected to
from where they me be configured, read out, written into. the only
thing possible would be some one shot udp tries (tcp would not go
past the first packet since the sync/ack would stay within the
network and go into the bit bucket [don't forget to emtpy it
frequently for cases where forged packets arrive from the public
So, what can we do by sending a forged udp packet (we won't get a
not much, especially nothing disruptive.
An addendum: happily I mistakenly read my own message and found that
the P.S. was garbled.
Here is what should have been there:
If you allow UDP, you cannot defend against incoming packets.
(the rest is about right, howver difficult to read, I admit)
My personal opinion: isolated udp's pose no threat. Denial of
service? This is always possible if somebody jams my public
interface with junk. Even if it does not go through it will clog the
public access pipe. Don't need to forge packets for that.