Ingress filtering
From Wikipedia, the free encyclopedia
 |
This article may require cleanup to meet Wikipedia's quality standards. Please discuss this issue on the talk page or replace this tag with a more specific message. This article has been tagged since March 2007. |
In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.
Contents |
[edit] The Problem
Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it . This allows other computers in the network to know where it came from, which is needed for things like sending a packet back to the sending computer.
In certain cases, the sending IP address will be spoofed. This is usually done as part of an attack, so that the attacked computer does not know where the attack is really coming from.
[edit] The Solution
Filtering a packet is when the packet is not processed normally, but is denied in some way. The computer processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender saying the packet is denied.
In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP address of the originating computer.
In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.
