272:, ingress filtering becomes more complex. There are perfectly reasonable operational scenarios in which a packet could arrive on one interface, but that specific interface might not have a route to the source address. For the routers near the edge of the Internet, packet filters can provide a simpler and more effective solution than methods that employ routing information lookup, though this approach can be challenging when managing routers that are reconfigured often. Ingress filtering for multihomed routers will accept the packet if there is a route back to its source address from
224:
methods, and contain the full set of routes learned by the router. Earlier implementations cached only a subset of the routes most frequently used in actual forwarding, and this worked reasonably well for enterprises where there is a meaningful most-frequently-used subset. Routers used for accessing
188:
MPLS has many similarities, at the forwarding level, to ATM. The label edge routers at the edges of an MPLS cloud map between the end-to-end identifier, such as an IP address, and a link-local label. At each MPLS hop, there is a forwarding table that tells the label-switched router which outgoing
291:
provides an additional method to select outgoing interfaces, based on a field that indicates the forwarding priority of the packet, as well as the preference of the packet to be dropped in the presence of congestion. Routers that support differentiated service not only have to look up the output
292:
interface for the destination address, but need to send the packet to the interface that best matches the differentiated services requirements. In other words, as well as matching the destination address, the FIB has to match differentiated services code points (DSCP).
138:
Switches learn the port on which they first saw a particular source address and associate that port with that address. When the bridge subsequently receives a frame with a destination address in its FIB, it sends the frame out the port stored in the FIB entry.
245:
to drop packets with improper source addresses, the use of access lists becomes difficult on routers with a large number of adjacent networks, and traditional access lists are not used in high-performance router forwarding paths.
142:
The FIB is a memory construct used by
Ethernet switch to map a station's MAC address to the switch port the station is connected to. This allows switches to facilitate communications between connected stations at high speed.
114:
from one port to another. The presence of a FIB is one attribute that separates a switch from a hub. Without a functional FIB, all frames received by a network switch would be echoed back out to all other ports, much like an
151:
While the exact mechanics of a forwarding table is implementation-specific, the general model for Frame Relay is that switches have statically defined forwarding tables, one per interface. When a frame with a given
225:
the entire
Internet, however, experienced severe performance degradation in refreshing routes cached in a small FIB, and various implementations moved to having FIBs in one-to-one correspondence with the RIB.
300:
Specific router implementations may, when a destination address or other FIB criterion is matched, specify another action to be done before forwarding (e.g., accounting or encryption), or apply an
164:
ATM switches have link-level forwarding tables much like those used in Frame Relay. Rather than a DLCI, however, interfaces have forwarding tables that specify the outgoing interface by
253:
document BCP 38 on ingress filtering does not specify a method of implementing source address filtering, some router vendors have implemented a mechanism that employs
156:(DLCI) is received on one interface, the table associated with that interface gives the outgoing interface, and the new DLCI to insert into the frame's address field.
58:
to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates
261:
address of the packet. If the interface has no route to the source address, the packet is assumed to be part of a denial of service attack, using a
325:
176:(PNNI) protocol. When PNNI is in use, the ATM switches at the edges of the network map one of the standard ATM end-to-end identifiers, such as an
17:
280:, also organized for fast lookup, that keeps track of the router interface addresses that are on all directly connected routers.
119:. In bridging packets between ports, a switch should only emit a frame on the port where the destination network device resides (
212:
FIBs are optimized for fast lookup of destination addresses and can improve performance of forwarding compared to using the
173:
153:
257:
lookups in the router's tables to perform this check. This is often implemented as a lookup in the FIB of the
99:
364:
Network
Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]
189:
interface is to receive the MPLS packet, and what label to use when sending the packet out that interface.
55:
95:
67:
124:
313:
213:
288:
254:
345:
Wire Speed Packet
Classification Without TCAM: One More Register (And A Bit Of Logic) Is Enough
344:
234:
47:
412:
378:
8:
301:
262:
242:
70:(CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a
429:
Definition of the
Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
276:
interface on the router. For this type of filtering, the router may also maintain an
473:
450:
324:
to attack the switch's CAM table. If the table fills up, other traffic is treated as
238:
172:(VCI). These tables may be configured statically, or they can be distributed by the
468:
402:
368:
217:
204:, are used on different types of media and can be handled similarly in all cases.
83:
415:
396:
381:
362:
111:
59:
462:
221:
197:
132:
321:
317:
177:
116:
63:
91:
87:
269:
201:
428:
320:
which has control of a device connected to an
Ethernet switch can use
131:) or if the switch doesn't know where the destination device resides (
86:, a FIB is most notably used to facilitate Ethernet bridging based on
407:
373:
128:
328:
and is forwarded to all ports making it available to the attacker.
120:
51:
216:(RIB) directly. The RIB is optimized for efficient updating by
228:
250:
360:
241:. Though the simplest form of ingress filtering is to use
90:. Other data-link-layer technologies using FIBs include
192:
123:), unless the frame is for all nodes on the switch (
452:RIBs and FIBs (aka IP Routing Table and CEF Table)
77:
54:, and similar functions to find the proper output
27:Dynamic table that maps network addresses to ports
394:
460:
326:broadcast, unknown-unicast and multicast traffic
295:
183:
159:
110:The role of an Ethernet switch is to forward
312:CAM tables can be targeted for setting up a
229:Ingress filtering against denial of service
448:
406:
398:Ingress Filtering for Multihomed Networks
372:
304:that may cause the packet to be dropped.
233:FIBs can also play a role in an Internet
361:P. Ferguson & D. Senie (May 2000).
14:
461:
265:, and the router discards the packet.
283:
174:Private Network-to-Network Interface
46:, is most commonly used in network
24:
395:F. Baker; P. Savola (March 2004).
25:
485:
442:
193:Applications at the network layer
154:data link connection identifier
78:Applications at data link layer
422:
388:
354:
338:
146:
13:
1:
331:
296:Access control and accounting
207:
184:Multiprotocol Label Switching
100:Multiprotocol Label Switching
56:network interface controller
7:
180:, to the next-hop VPI/VCI.
105:
32:forwarding information base
18:Forwarding Information Base
10:
490:
307:
170:virtual circuit identifier
160:Asynchronous Transfer Mode
96:Asynchronous Transfer Mode
68:Content-addressable memory
314:man-in-the-middle attack
214:routing information base
431:, RFC 2474, K. Nichols
289:Differentiated services
255:reverse-path forwarding
166:virtual path identifier
263:spoofed source address
235:best current practice
243:access-control lists
302:access control list
268:When the router is
200:addresses, such as
127:), multiple nodes (
38:), also known as a
351:, ACM SIGCOMM 2006
284:Quality of service
239:ingress filtering
218:routing protocols
16:(Redirected from
481:
455:
449:Ivan Pepelnjak,
436:
426:
420:
419:
410:
408:10.17487/RFC3704
392:
386:
385:
376:
374:10.17487/RFC2827
358:
352:
342:
60:network switches
40:forwarding table
21:
489:
488:
484:
483:
482:
480:
479:
478:
459:
458:
445:
440:
439:
435:, December 1998
427:
423:
393:
389:
359:
355:
343:
339:
334:
310:
298:
286:
278:adjacency table
231:
210:
195:
186:
162:
149:
112:Ethernet frames
108:
84:data link layer
80:
28:
23:
22:
15:
12:
11:
5:
487:
477:
476:
471:
457:
456:
444:
443:External links
441:
438:
437:
421:
387:
353:
336:
335:
333:
330:
309:
306:
297:
294:
285:
282:
230:
227:
209:
206:
194:
191:
185:
182:
161:
158:
148:
145:
107:
104:
79:
76:
26:
9:
6:
4:
3:
2:
486:
475:
472:
470:
467:
466:
464:
454:
453:
447:
446:
434:
430:
425:
417:
414:
409:
404:
400:
399:
391:
383:
380:
375:
370:
366:
365:
357:
350:
346:
341:
337:
329:
327:
323:
319:
315:
305:
303:
293:
290:
281:
279:
275:
271:
266:
264:
260:
256:
252:
247:
244:
240:
236:
226:
223:
222:control plane
219:
215:
205:
203:
199:
198:Network layer
190:
181:
179:
175:
171:
167:
157:
155:
144:
140:
136:
134:
133:unicast flood
130:
126:
122:
118:
113:
103:
101:
97:
93:
89:
88:MAC addresses
85:
75:
73:
69:
65:
64:Ethernet hubs
61:
57:
53:
49:
45:
41:
37:
33:
19:
451:
432:
424:
397:
390:
363:
356:
348:
340:
322:MAC flooding
318:threat agent
311:
299:
287:
277:
273:
267:
258:
248:
232:
211:
202:IP addresses
196:
187:
178:NSAP address
169:
165:
163:
150:
141:
137:
117:Ethernet hub
109:
81:
71:
43:
39:
35:
31:
29:
147:Frame Relay
92:Frame Relay
463:Categories
332:References
270:multihomed
249:While the
220:and other
208:Forwarding
168:(VPI) and
98:(ATM) and
237:(BCP) of
129:multicast
125:broadcast
102:(MPLS).
72:CAM table
44:MAC table
474:Ethernet
347:Q. Dong
106:Bridging
48:bridging
469:Routing
308:Attacks
121:unicast
82:At the
52:routing
433:et al.
349:et al.
259:source
62:from
416:3704
382:2827
316:. A
251:IETF
413:RFC
403:doi
379:RFC
369:doi
274:any
135:).
42:or
36:FIB
465::
411:.
401:.
377:.
367:.
94:,
74:.
66:.
50:,
30:A
418:.
405::
384:.
371::
34:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.