Ingress filtering

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.

Problem[edit]

Networks receive packets from other networks. Normally a packet will contain the IP address of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things).

However, a sender IP address can be faked ('spoofed'), characterising a spoofing attack. This disguises the origin of packets sent, for example in a denial-of-service attack.

Solution[edit]

A potential solution involves intermediate internet gateways (i.e., those servers connecting disparate networks along the path followed by any given packet) filtering or denying any packet deemed to be illegitimate. The gateway processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender, saying that the illegitimate packet has been denied.

Any router that implements ingress filtering checks the source IP field of IP packets it receives, and drops packets if the packets don't have an IP address in the IP address block that the interface is connected to. This may not be possible if the end host is multi-homed and also sends transit network traffic.

In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer. If the end host is a stub network or host, the router needs to filter all IP packets that have, as the source IP, private addresses (RFC 1918), bogon addresses or addresses that do not have the same network address as the interface.

Networks[edit]

Network ingress filtering is a packet filtering technique used by many Internet service providers to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.

Network ingress filtering is a "good neighbor" policy which relies on cooperation between ISPs for their mutual benefit.

The best current practices for network ingress filtering are documented by the Internet Engineering Task Force in BCP 38 and BCP 84, which are defined by RFCs 2827 and 3704, respectively.[1][2]

BCP 84 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.

There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding on links to customers, which will indirectly apply this policy based on the provider's route filtering of their customers' route announcements.

See also[edit]

References[edit]

External links[edit]

  • RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (BCP 38)
  • RFC 3704 Ingress Filtering for Multihomed Networks (BCP 84)
  • Jay R. Ashworth. "BCP38.info".