261:, ingress filtering becomes more complex. There are perfectly reasonable operational scenarios in which a packet could arrive on one interface, but that specific interface might not have a route to the source address. For the routers near the edge of the Internet, packet filters can provide a simpler and more effective solution than methods that employ routing information lookup, though this approach can be challenging when managing routers that are reconfigured often. Ingress filtering for multihomed routers will accept the packet if there is a route back to its source address from
213:
methods, and contain the full set of routes learned by the router. Earlier implementations cached only a subset of the routes most frequently used in actual forwarding, and this worked reasonably well for enterprises where there is a meaningful most-frequently-used subset. Routers used for accessing
177:
MPLS has many similarities, at the forwarding level, to ATM. The label edge routers at the edges of an MPLS cloud map between the end-to-end identifier, such as an IP address, and a link-local label. At each MPLS hop, there is a forwarding table that tells the label-switched router which outgoing
280:
provides an additional method to select outgoing interfaces, based on a field that indicates the forwarding priority of the packet, as well as the preference of the packet to be dropped in the presence of congestion. Routers that support differentiated service not only have to look up the output
281:
interface for the destination address, but need to send the packet to the interface that best matches the differentiated services requirements. In other words, as well as matching the destination address, the FIB has to match differentiated services code points (DSCP).
127:
Switches learn the port on which they first saw a particular source address and associate that port with that address. When the bridge subsequently receives a frame with a destination address in its FIB, it sends the frame out the port stored in the FIB entry.
234:
to drop packets with improper source addresses, the use of access lists becomes difficult on routers with a large number of adjacent networks, and traditional access lists are not used in high-performance router forwarding paths.
131:
The FIB is a memory construct used by
Ethernet switch to map a station's MAC address to the switch port the station is connected to. This allows switches to facilitate communications between connected stations at high speed.
103:
from one port to another. The presence of a FIB is one attribute that separates a switch from a hub. Without a functional FIB, all frames received by a network switch would be echoed back out to all other ports, much like an
140:
While the exact mechanics of a forwarding table is implementation-specific, the general model for Frame Relay is that switches have statically defined forwarding tables, one per interface. When a frame with a given
214:
the entire
Internet, however, experienced severe performance degradation in refreshing routes cached in a small FIB, and various implementations moved to having FIBs in one-to-one correspondence with the RIB.
289:
Specific router implementations may, when a destination address or other FIB criterion is matched, specify another action to be done before forwarding (e.g., accounting or encryption), or apply an
153:
ATM switches have link-level forwarding tables much like those used in Frame Relay. Rather than a DLCI, however, interfaces have forwarding tables that specify the outgoing interface by
242:
document BCP 38 on ingress filtering does not specify a method of implementing source address filtering, some router vendors have implemented a mechanism that employs
145:(DLCI) is received on one interface, the table associated with that interface gives the outgoing interface, and the new DLCI to insert into the frame's address field.
47:
to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates
250:
address of the packet. If the interface has no route to the source address, the packet is assumed to be part of a denial of service attack, using a
314:
165:(PNNI) protocol. When PNNI is in use, the ATM switches at the edges of the network map one of the standard ATM end-to-end identifiers, such as an
269:, also organized for fast lookup, that keeps track of the router interface addresses that are on all directly connected routers.
108:. In bridging packets between ports, a switch should only emit a frame on the port where the destination network device resides (
201:
FIBs are optimized for fast lookup of destination addresses and can improve performance of forwarding compared to using the
162:
142:
246:
lookups in the router's tables to perform this check. This is often implemented as a lookup in the FIB of the
88:
353:
Network
Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]
178:
interface is to receive the MPLS packet, and what label to use when sending the packet out that interface.
44:
84:
56:
113:
302:
202:
277:
243:
334:
Wire Speed Packet
Classification Without TCAM: One More Register (And A Bit Of Logic) Is Enough
333:
223:
36:
401:
367:
8:
290:
251:
231:
59:(CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a
418:
Definition of the
Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
265:
interface on the router. For this type of filtering, the router may also maintain an
462:
439:
313:
to attack the switch's CAM table. If the table fills up, other traffic is treated as
227:
161:(VCI). These tables may be configured statically, or they can be distributed by the
457:
391:
357:
206:
193:, are used on different types of media and can be handled similarly in all cases.
72:
404:
385:
370:
351:
100:
48:
451:
210:
186:
121:
310:
306:
166:
105:
52:
80:
76:
258:
190:
417:
309:
which has control of a device connected to an
Ethernet switch can use
120:) or if the switch doesn't know where the destination device resides (
75:, a FIB is most notably used to facilitate Ethernet bridging based on
396:
362:
117:
317:
and is forwarded to all ports making it available to the attacker.
109:
40:
205:(RIB) directly. The RIB is optimized for efficient updating by
217:
239:
349:
230:. Though the simplest form of ingress filtering is to use
79:. Other data-link-layer technologies using FIBs include
181:
112:), unless the frame is for all nodes on the switch (
441:RIBs and FIBs (aka IP Routing Table and CEF Table)
66:
43:, and similar functions to find the proper output
16:Dynamic table that maps network addresses to ports
383:
449:
315:broadcast, unknown-unicast and multicast traffic
284:
172:
148:
99:The role of an Ethernet switch is to forward
301:CAM tables can be targeted for setting up a
218:Ingress filtering against denial of service
437:
395:
387:Ingress Filtering for Multihomed Networks
361:
293:that may cause the packet to be dropped.
222:FIBs can also play a role in an Internet
350:P. Ferguson & D. Senie (May 2000).
450:
254:, and the router discards the packet.
272:
163:Private Network-to-Network Interface
35:, is most commonly used in network
13:
384:F. Baker; P. Savola (March 2004).
14:
474:
431:
182:Applications at the network layer
143:data link connection identifier
67:Applications at data link layer
411:
377:
343:
327:
135:
1:
320:
285:Access control and accounting
196:
173:Multiprotocol Label Switching
89:Multiprotocol Label Switching
45:network interface controller
7:
169:, to the next-hop VPI/VCI.
94:
21:forwarding information base
10:
479:
296:
159:virtual circuit identifier
149:Asynchronous Transfer Mode
85:Asynchronous Transfer Mode
57:Content-addressable memory
303:man-in-the-middle attack
203:routing information base
420:, RFC 2474, K. Nichols
278:Differentiated services
244:reverse-path forwarding
155:virtual path identifier
252:spoofed source address
224:best current practice
232:access-control lists
291:access control list
257:When the router is
189:addresses, such as
116:), multiple nodes (
27:), also known as a
340:, ACM SIGCOMM 2006
273:Quality of service
228:ingress filtering
207:routing protocols
470:
444:
438:Ivan Pepelnjak,
425:
415:
409:
408:
399:
397:10.17487/RFC3704
381:
375:
374:
365:
363:10.17487/RFC2827
347:
341:
331:
49:network switches
29:forwarding table
478:
477:
473:
472:
471:
469:
468:
467:
448:
447:
434:
429:
428:
424:, December 1998
416:
412:
382:
378:
348:
344:
332:
328:
323:
299:
287:
275:
267:adjacency table
220:
199:
184:
175:
151:
138:
101:Ethernet frames
97:
73:data link layer
69:
17:
12:
11:
5:
476:
466:
465:
460:
446:
445:
433:
432:External links
430:
427:
426:
410:
376:
342:
325:
324:
322:
319:
298:
295:
286:
283:
274:
271:
219:
216:
198:
195:
183:
180:
174:
171:
150:
147:
137:
134:
96:
93:
68:
65:
15:
9:
6:
4:
3:
2:
475:
464:
461:
459:
456:
455:
453:
443:
442:
436:
435:
423:
419:
414:
406:
403:
398:
393:
389:
388:
380:
372:
369:
364:
359:
355:
354:
346:
339:
335:
330:
326:
318:
316:
312:
308:
304:
294:
292:
282:
279:
270:
268:
264:
260:
255:
253:
249:
245:
241:
236:
233:
229:
225:
215:
212:
211:control plane
208:
204:
194:
192:
188:
187:Network layer
179:
170:
168:
164:
160:
156:
146:
144:
133:
129:
125:
123:
122:unicast flood
119:
115:
111:
107:
102:
92:
90:
86:
82:
78:
77:MAC addresses
74:
64:
62:
58:
54:
53:Ethernet hubs
50:
46:
42:
38:
34:
30:
26:
22:
440:
421:
413:
386:
379:
352:
345:
337:
329:
311:MAC flooding
307:threat agent
300:
288:
276:
266:
262:
256:
247:
237:
221:
200:
191:IP addresses
185:
176:
167:NSAP address
158:
154:
152:
139:
130:
126:
106:Ethernet hub
98:
70:
60:
32:
28:
24:
20:
18:
136:Frame Relay
81:Frame Relay
452:Categories
321:References
259:multihomed
238:While the
209:and other
197:Forwarding
157:(VPI) and
87:(ATM) and
226:(BCP) of
118:multicast
114:broadcast
91:(MPLS).
61:CAM table
33:MAC table
463:Ethernet
336:Q. Dong
95:Bridging
37:bridging
458:Routing
297:Attacks
110:unicast
71:At the
41:routing
422:et al.
338:et al.
248:source
51:from
405:3704
371:2827
305:. A
240:IETF
402:RFC
392:doi
368:RFC
358:doi
263:any
124:).
31:or
25:FIB
454::
400:.
390:.
366:.
356:.
83:,
63:.
55:.
39:,
19:A
407:.
394::
373:.
360::
23:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.