Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
new policy on anti-address spoofing filters in MichNet routers
- From: Jeff Ogden
- Date: Wed Nov 13 08:38:30 1996
Here is the new policy. The substance of the policy hasn't changed from the
version that was sent out last Monday, but this version has been reworded a
bit to make some points clearer and to reflect the fact that this is no
longer a proposal.
-Jeff Ogden
Merit
MichNet Policy on IP Address Spoofing Filters
12 November 1996
At the November 12, 1996 Merit Joint Technical Staff meeting we discussed
this policy on packet filtering to protect against IP address
spoofing--that is, sending IP packets that use source addresses that are
not assigned to the part of the Internet where the packets originate. Since
the feeling of the group was that these filters should be installed and
since no serious objections were raised Merit will begin to fully implement
this policy. Merit's goal will be to have the new packet filters installed
on all routers by the end of January 1997. We are asking members and
affiliates with direct LAN attachments to backbone routers to install
packet filters in their own routers (see items #3 and #4 below) by this
same date. If you have questions about the policy, please contact your
Merit Network Consultant (formally site representative).
We want these packet filters to do two things:
--protect our members and affiliates from "bad" packets
that originate elsewhere; and
--protect others from "bad" packets that originate at one
of our members or affiliates.
Thus we have both "self defense" and "good network citizenship" as motives
for doing this work.
We need to be clear that the "self defense" filters do not prevent spoofing
of all Internet addresses, only of the member or affiliate IP addresses and
then only within their own network. In fact, all they protect against is
attacks on machines that use local source IP addresses to authenticate
(some UNIX systems with rlogins and rsh enabled, some X Windows servers,
...). Said another way, the "self defense" filters prevent your own IP
addresses from being used against you from outside of your network, but
they do NOT prevent someone elses IP addresses from being used against you
nor do they prevent your own IP addresses from being used against you from
within your own nework. The "good citizenship" filters will protect more
broadly, but only if these filters are installed everywhere throughtout the
entire Internet, something that is never likely to be completely true.
For many years Merit has installed route filters that prevent a member or
affiliate from announcing routes for IP addresses that they do not own. We
will continue to use route filters, but route filters and packet filters
are different and while route filters are very useful they do not protect
against the same problems that packet filters do.
Here is the policy:
1) On tail routers at member or affiliate sites Merit will install both the
"self defense" and "good citizenship" packet filters. These filters will be
installed at the router's serial interface and will check the source IP
addresses on both inbound and outbound packets. For packets going from
MichNet to the member or affiliate we will reject packets that have a
source address that is assigned to the member or affiliate. For packets
going from the member or affiliate to MichNet we will reject packets that
do NOT have a source address that is assigned to the member or affiliate.
2) In cases where member or affiliate LANs are connected directly to a
MichNet backbone router Merit will install just the "self defense" packet
filters. These filters will be installed at the backbone router's LAN
interfaces and will check the source IP addresses on packets going from
MichNet to the member or affiliate and reject packets with source addresses
that are assigned to the member or affiliate. Because of the performance
impact on some backbone routers, Merit will NOT install the "good
citizenship" packet filters that check the source IP address on packets
going from members or affiliates to MichNet.
3) In cases where member or affiliate LANs are directly connected to a
backbone router AND the backbone router is used to route traffic between
the organization's sub-networks it will not be possible to install the
"self defnese" packet filters. In these cases the member or affiliate
should install the filters on their own routers or contact Merit to develop
alternatives.
4) Because we are NOT able to install the "good citizenship" filters for
members or affiliates whose LANs are directly attached to backbone routers,
we are asking these members and affiliates to install these filters on
their own routers. Merit staff will be available to assist in this work. If
a member or affiliate is unable or unwilling to install these filters, they
should contact Merit so we can discuss alternatives.
5) Members and affiliates with direct LAN attachments to backbone routers
may choose to install the "self defense" filters on their own routers and
in this case Merit will not install a filter on the member or affiliate LAN
interface. Please contact your Network Consultant at Merit if this is
something that your organization wants to do.
6) The performance impact of packet filtering is not as serious for some of
the newer backbone routers that are now being installed. So, in the future,
it may be possible for Merit to install packet filters that check the
source address on packets going from a member or affiliate to MichNet even
in cases where the attachment is via a LAN interface on a backbone router.
7) The packet filters that will be installed by Merit provide protection at
the gateway that connects a member or affiliate organization. We encourage
members and affiliates to seriously consider installing similar packet
filters on their own internal routers. For large organizations installing
filters that protect smaller portions of their networks is likely to be
much more effective than filters that are designed to protect the network
as a whole.
8) From time to time Merit is asked to install specific packet filters by a
member or affiliate. These filters are often related to network security in
some way. In general we discourage members and affiliates from using these
sorts of non-standard filters in routers managed by Merit since it is not
considered good practice to depend on an outside party such as Merit to
implement an organization's internal security policies. However, while we
continue to discourage the use of non-standard filters, Merit will install
non-standard packet filters on tail routers managed by Merit at a member or
affiliate's site on request. There will be a fee of $100 a month to install
and maintain these non-standard filters. There will be an additional
consulting fee of $75 per hour if the member or affiliate needs help in
designing or specifying these non-standard filters. Merit will NOT install
non-standard filters on backbone routers.
Here is a summary of what Merit will do under this policy:
Type of filter-> Self Defense Good Citizen Non-standard
+------------+------------+------------+
| | |reluctantly |
Tail Routers | yes | yes | for an |
| | |extra charge|
+------------+------------+------------+
| | | |
Backbone Routers | yes(1) | no(2) | no |
| | | |
+------------+------------+------------+
Note 1: This packet filter is optional if a member or
affiliate installs the filter on their own internal
router(s). It may not be possible to install this
filter in all cases.
Note 2: These packet filters should be installed on member
and affiliate routers instead.
- - - - - - - - - - - - - - - - -
|
