Network ingress filtering
From Wikipedia, the free encyclopedia
 |
It has been suggested that ingress filtering be merged into this article or section. (Discuss) |
Network ingress filtering is a packet filtering technique used by many Internet service providers to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.
Network ingress filtering is a "good neighbor" policy which relies on mutual cooperation between ISPs for their mutual benefit.
The best current practice for network ingress filtering is documented by the Internet Engineering Task Force in BCP 38, which is currently defined by RFC 2827.
BCP 38 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.
There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.
[edit] See also
- Address spoofing
- Prefix hijacking
- Egress filtering
[edit] External links
- RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
 |
This Internet-related article is a stub. You can help Wikipedia by expanding it. |
