[NCLUG] Egress Filtering

[Mark Fassler]

I personally like the idea of egress filtering.  Basically, the router 
just has to do a lookup against it's routing tables, but in a reverse 
manner.  

I don't know if the load on the router would increase significantly (it 
may very well cut the performance almost in half, since it has to do twice 
as many route lookups, or it may not... I have no idea the processor 
utilization on a typical router).

If it does affect the performance of the router significantly, then it 
might be difficult to get many people to implement it.  (egress filtering 
doesn't protect *your* network, it only protects the rest of the 
Internet..)

If egress routing was implemented on the majority of routers (and 
certainly all the big ones) this would stop many DDoS attacks.

Since this is something that would only be mutually beneficial and not 
individually benificial, perhaps it would be appropriate for the 
government to require that all new routers implement egress routing.

(Although, I doubt that any new "cyber-terrorism" law that doesn't involve 
locking up people would get passed.  There's just no publicity in it...)

--
Mark Fassler
fassler at monkeysoft.net