Ingress filtering
Encyclopedia
In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.
of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things).
However, a sender IP address can be faked ('spoofed
'), characterising a Spoofing attack
. This disguises the origin of packets sent, e.g., in a Denial-of-service attack
.
In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer.
In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.
Edge networks, whether multi-homed or not, usually have a limited number of address block
s in use. Such edge networks should filter packets leaving their networks, verifying that the source IP address in all packets is within the allocated address blocks. Enterprises, universities and others who run edge networks should be doing this. The purpose is to prevent computers on your network from spoofing (acting as another). Implementation for edge networks of egress packets in this way is very simple and should be done with access lists.
s to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.
Network ingress filtering is a "good neighbor" policy which relies on cooperation between ISPs for their mutual benefit.
The best current practice
for network ingress filtering is documented by the Internet Engineering Task Force
in BCP 38, which is currently defined by RFC 2827.
BCP 38 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.
There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding
on links to customers, which will indirectly apply this policy based on the provider's route filtering
of their customers' route announcements.
Problem
Networks receive packets from other networks. Normally a packet will contain the IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of the computer that originally sent it. This allows devices in the receiving network to know where it came from, allowing a reply to be routed back (amongst other things).
However, a sender IP address can be faked ('spoofed
IP address spoofing
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
'), characterising a Spoofing attack
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
. This disguises the origin of packets sent, e.g., in a Denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
.
Solution
Filtering a packet is when the packet is not processed normally, but is denied in some way. The computer processing the packet might simply ignore the packet completely, or where it is possible it might send a packet back to the sender saying the packet is denied.In ingress filtering, packets coming into the network are filtered if the network sending it should not send packets from IP addresses of the originating computer.
In order to do ingress filtering, the network needs to know which IP addresses each of the networks it is connected to may send. This is not always possible. For instance, a network that has a single connection to the Internet has no way to know if a packet coming from that connection is spoofed or not.
Edge networks, whether multi-homed or not, usually have a limited number of address block
Subnetwork
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into subnetworks is called subnetting....
s in use. Such edge networks should filter packets leaving their networks, verifying that the source IP address in all packets is within the allocated address blocks. Enterprises, universities and others who run edge networks should be doing this. The purpose is to prevent computers on your network from spoofing (acting as another). Implementation for edge networks of egress packets in this way is very simple and should be done with access lists.
Networks
Network ingress filtering is a packet filtering technique used by many Internet service providerInternet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s to try to prevent source address spoofing of Internet traffic, and thus indirectly combat various types of net abuse by making Internet traffic traceable to its source.
Network ingress filtering is a "good neighbor" policy which relies on cooperation between ISPs for their mutual benefit.
The best current practice
Best Current Practice
A best current practice is a de facto, dynamic level of performance in engineering and information technology. It is more flexible than a standard, since techniques and tools are continually evolving....
for network ingress filtering is documented by the Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
in BCP 38, which is currently defined by RFC 2827.
BCP 38 recommends that upstream providers of IP connectivity filter packets entering their networks from downstream customers, and discard any packets which have a source address which is not allocated to that customer.
There are many possible ways of implementing this policy; one common mechanism is to enable reverse path forwarding
Reverse path forwarding
Reverse path forwarding is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing.- Multicast RPF :...
on links to customers, which will indirectly apply this policy based on the provider's route filtering
Route filtering
In the context of network routing, route filtering is the process by which certain routes are not considered for inclusion in the local route database, or not advertised to one's neighbours...
of their customers' route announcements.
External links
- RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
- RFC 2827 (BCP 38)