Ingress filtering
From Wikipedia, the free encyclopedia
This article may require cleanup to meet Wikipedia's quality standards. Please improve this article if you can. (March 2007) |
It has been suggested that this article or section be merged with network ingress filtering. (Discuss) |
In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.
Contents |
[edit] The Problem
Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows other computers in the network to know where it came from, which is needed for things like sending a packet back to the sending computer.
In certain cases, the sending IP address will be spoofed. This is usually done as part of an attack, so that the attacked computer does not know where the attack is really coming from.
[edit] The Solution
Filtering a packet is when the packet is not processed normally, but is denied in some way. The computer processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender saying the packet is denied.
In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP address of the originating computer.
In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.
Edge networks, whether multi-homed or not, usually have a limited number of address blocks in use. Such edge networks should filter packets leaving their networks, verifying the source IP address in all packets is within the address blocks allocated. Enterprises, universities and others who run edge networks should be doing this. The purpose is to prevent computers on your network from spoofing (acting as another). Implementation for edge networks of egress packets in this way is very simple and should be done with access lists.
[edit] See also
[edit] External links
- RFC 2827 (BCP 38)