Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Proposed IP Address Spoofing Filter Policy
- From: Jeff Ogden
- Date: Mon Nov 11 10:39:01 1996
Proposed MichNet Policy on IP Address Spoofing Filters
This policy will be discussed at the Merit Joint Technical Staff (MJTS)
meeting in East Lansing next Tuesday, November 12th. Bert Rossi will be at
the meeting to answer questions.
Several Merit Joint Technical Staff meetings ago we discussed the need to
do packet filtering to protect against IP address spoofing (that is,
sending IP packets that use source addresses that are not assigned to the
part of the Internet where the packets originate).
We want these packet filters to do two things:
--protect our members and affiliates from "bad" packets
that originate elsewhere; and
--protect others from "bad" packets that originate at one
of our members or affiliates.
Thus we have both "self defense" and "good network citizenship" as motives
for doing this work.
We need to be clear that the "self defense" filters do not prevent spoofing
of all Internet addresses, only of the member or affiliate IP addresses and
then only within their own network. In fact, all they protect against is
attacks on machines that use local source IP addresses to authenticate
(some UNIX systems with rlogins and rsh enabled, some X Windows servers,
...). Said another way, the "self defense" filters prevent your own IP
addresses from being used against you, but they do NOT prevent someone
elses IP addresses from being used against you. The "good citizenship"
filters will protect more broadly, but only if these filters are installed
everywhere throughtout the entire Internet, something that is never likely
to be completely true.
For many years Merit has installed route filters that prevent a member or
affiliate from announcing routes for IP addresses that they do not own. We
will continue to use route filters, but route filters and packet filters
are different and while route filters are very useful they do not protect
against the same problems that packet filters do.
At the MJTS meeting it was generally agreed that Merit should install a
standard set of packet filters to deal with these problems, but there was
some concern that doing this might have a serious impact on the performance
of some routers. It was agreed that we'd evaluate the impact before going
forward with this sort of packet filtering.
The staff in Merit's Hardware Support Group has determined that we can
install the packet filters described below without a serious performance
impact. Unless there are strong objections raised at the upcoming MJTS
meeting, Merit's goal will be to have the new packet filters installed on
all routers by the end of January 1997. In some cases we are asking members
and affiliates with direct LAN attachments to backbone routers to install
packet filters in their own routers (see item #4 below) by this same date.
1) On tail routers at member or affiliate sites Merit will install both the
"self defense" and "good citizenship" packet filters. These filters will be
installed at the router's serial interface and will check the source IP
addresses on both inbound and outbound packets. For packets going from
MichNet to the member or affiliate we will reject packets that have a
source address that is assigned to the member or affiliate. For packets
going from the member or affiliate to MichNet we will reject packets that
do NOT have a source address that is assigned to the affiliate.
2) In cases where member or affiliate LANs are connected to a MichNet
backbone router Merit will install just the "self defense" packet filters.
These filters will be installed at the backbone router's LAN interfaces and
will check the source IP addresses on packets going from MichNet to the
member or affiliate and reject packets with source addresses that are
assigned to the member or affiliate. Because of the performance impact on
some backbone routers, Merit will NOT install the "good citizenship" packet
filters that check the source IP address on packets going from members or
affiliates to MichNet.
3) In cases where member or affiliate LANs are directly connected to a
backbone router AND the backbone router is used to route traffic between
the organization's sub-networks it will not be possible to install the
"self defnese" packet filters. In these cases the member or affiliate
should contact Merit to develop alternatives.
4) Because we are NOT able to install the "good citizenship" filters for
members or affiliates whos LANs are directly attached to backbone routers,
we are asking these members and affiliates to install these filters on
their own routers. Merit staff will be available to assist in this work. If
a member or affiliate is unable or unwilling to install these filters, they
should contact Merit so we can discuss alternatives.
5) Members and affiliates with direct LAN attachments to backbone routers
may choose to install the "self defense" filters on their own routers and
in this case Merit will not install a filter on the member or affiliate LAN
interface.
6) The performance impact of packet filtering is not as serious for some of
the newer backbone routers that are now being installed. So, in the future,
it may be possible for Merit to install packet filters that check the
source address on packets going from a member or affiliate to MichNet even
in cases where the attachment is via a LAN interface on a backbone router.
7) The packet filters that will be installed by Merit provide protection at
the gateway that connects a member or affiliate organization. We encourage
members and affiliates to seriously consider installing similar packet
filters on their own internal routers. For large organizations installing
filters that protect smaller portions of their networks is likely to be
much more effective than filters that are designed to protect the network
as a whole.
8) From time to time Merit is asked to install specific packet filters by a
member or affiliate. These filters are often related to network security in
some way. In general we discourage members and affiliates from using these
sorts of non-standard filters, since it is not considered good practice to
depend on an outside party such as Merit to implement an organization's
internal security policies. However, while we continue to discourage the
use of non-standard filters, Merit will install non-standard packet filters
on tail routers managed by Merit at a member or affiliate's site on
request. There will be a fee of $100 a month to install and maintain these
non-standard filters. There will be an additional consulting fee of $75 per
hour if the member or affiliate needs help in designing or specifying these
non-standard filters. Merit will NOT install non-standard filters on
backbone routers.
Here is a summary of what Merit will do under this policy:
Type of filter-> Self Defense Good Citizen Non-standard
+------------+------------+------------+
| | |reluctantly |
Tail Routers | yes | yes | for an |
| | |extra charge|
+------------+------------+------------+
| | | |
Backbone Routers | yes(1) | no(2) | no |
| | | |
+------------+------------+------------+
Note 1: This packet filter is optional if a member or
affiliate installs the filter on their own internal
router(s). It may not be possible to install this
filter in all cases.
Note 2: These packet filters should be installed on member
and affiliate routers instead.
- - - - - - - - - - - - - - - - -
|
