From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 3CF0B21F0AE
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 24 Mar 2014 09:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at example.com
Received: by alrua-kau.localdomain (Postfix, from userid 1000)
	id 5B21991C9C; Mon, 24 Mar 2014 17:55:56 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310;
	t=1395680157; bh=QDYDWX1J3vEmJmfI6XD+YwMtLWdNhMzxP5C7Qz4ACxA=;
	h=From:To:Cc:Subject:References:Date:In-Reply-To;
	b=QwLnaGfgoNG0Duw6CNRUjz+qxQGVbYjwSzYcWw6MLcPcrth2EPmiCInkAEupCJDoN
	oKF6CWQPdP1rr1Wvcz3ybjOYd8tO58hJ2C9ufrT5KIUBySNXopw7jYU/OI48PMf8T7
	yUFKvtmHPpLINzwx9gw7GdcP1tR59IPds0s3sdNo=
From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
To: Rich Brown <richb.hanover@gmail.com>
References: <DD766994-7C0D-42B3-8DF6-A302322E4546@gmail.com>
Date: Mon, 24 Mar 2014 17:55:54 +0100
In-Reply-To: <DD766994-7C0D-42B3-8DF6-A302322E4546@gmail.com> (Rich Brown's
	message of "Mon, 24 Mar 2014 12:32:47 -0400")
Message-ID: <87mwgf7cyt.fsf@toke.dk>
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Cc: cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Updates to the wiki for 3.10.32-12
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 16:56:04 -0000

--=-=-=
Content-Type: text/plain

Rich Brown <richb.hanover@gmail.com> writes:

> - I have added a BCP38 page to give an overview of that page. A
> question that I haven't seen addressed in the commentary on the list:
> Does this BCP38 implement also filter out spoofed source addresses? (I
> imagine it would, but the pages don't specifically say so.)

It blocks the configured subnets:

- at ingress on one
- at egrees on destination.

I.e. a packet arriving on the WAN interface *from* one of the configured
subnets or a packet departing the WAN interface *towards* one of the
configured subnets will get dropped.

You could presumably still send a packet from the inside with a spoofed
source address, but that source address would then get rewritten by the
NAT filter...

-Toke

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCAAGBQJTMGOaAAoJEENeEGz1+utPnocH/RlYjU3FKvvskooEgl2MfAWn
E8tvbm3zRNjpue5woOLwZQicyL5dEZxCpq8T4Qso5g2gfZb0QJDeH2Kj9oYP/BPE
SWwTGd7WFeaYb19Cj8O5P5/CtKHGl4SfPy8xUykE/0kwWH8uGR8/9I9T/K5tLiUq
YikBqzMeiBSkaT0MfxsiEMiwZflXrN/hpsks1DgdU5oE/gkU4qWSuprBOSxoHp/a
2OunyB2ZdSTxYrUILuE4zpxz7gcZ/K9ldtvdn3j9dEiXfv9vxxMULvTrahBuCCgT
VcKLLUifggh/6xsu8ksRQrOMMRVjGRIZO5Y7TWUkUOpfRxmDHvc9SV38JThDu0I=
=JC7U
-----END PGP SIGNATURE-----
--=-=-=--