North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Internet SYN Flooding, spoofing attacks
- From: Vijay Gill
- Date: Fri Feb 11 21:31:21 2000
IETF removed from the distribution list.
On Fri, 11 Feb 2000, Paul Ferguson wrote:
> >unicast RPF, but the best compromise is the built-in access filter. The
> >solution must be general enough to work for multihomed, defaulting out
> >customers with blocks from n providers,
> No, that is a common misconception, or rather, an overstatement of
> a pretty easily described situation. It only breaks things in transit
> situations, and only in transit situations where you might not have
> the same forwarding path back to the source as you would via the same
> interface a packet came in on.
This is more common than you might believe. For Dialup and single homed,
yes, this is not a problem in most cases. For a very large customer base,
this problem does not scale all that well, especially for the large
backbone carriers who are transiting a lot of traffic. As the internet
grows more important to business, more and more people multihome.
> This is a small percentage, I would thing, since the percentage of
> ISP's offering transit pales in comparison to all other "access"
> ISP's that do not. And in cases where ISP's _do_ offer transit, or
> have transit agreements, will they really do this on their transit
> interfaces? I think not.
I think you're solving something else. I submit that almost _all_ isp's
offer transit for their customers. Thats where the I part of the SP comes
in. For _peering_ links (peering being defined elsewhere), yes, this is a
hard problem, but on the edges of the _peers_, this is not. If everyone
filtered their T1/DSx/OCx/E1/E3/STMx customers at their edges, using
Unicast RPF where appropriate and filters where appropriate, life would