North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: Tim Winders
- Date: Wed Mar 28 16:55:57 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 28 Mar 2001, David Schwartz wrote:
> > On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
> > > The problem is, the filter will block legitimate traffic.
> > > IP does not
> > > provide any sure way to tell a spoofed packet from an unspoofed packet.
> > Hmm.. if I *know* that my customer has a single-homed /24, and I see a
> > packet come in from his /24 that has a source address outside that /24,
> > there's a *pretty* *good* chance that something squirrely is going on.
> Right. However, it's also entirely possible that the traffic is
> legitimate. Consider, for example, a sub-customer migrating between
> two ISPs each with static IPs who currently has them both up.
> The optimum approach is to investigate it, determine if it's
> legitimate or not, and act appropriately. The lazy approach is to
> filter it and if it's legitimate, wait for the customer to complain.
> The worst possible approach is to ignore it (either filtering it or
> not) and hope that if it is a serious problem, the customer will fix
> it themself.
> The filtering advocates don't seem to particularly care whether
> the problem is fixed or not. What they're missing is that filtering is
> simply a 'level of service' issue. What's a security and community
> issue is that root compromises and misconfigurations that threaten
> others be detected and repaired. Filters can't do that.
No, no, no. You are erring on the side of openness, rather than on the
side of security.
If you do have a root compromise and someone is able to send out spoofed
packets from that system on your network, how are you supposed to know?
If you are not filtering spoofed packets, you have no way to know there
there is anything going wrong on your network.
As far as traffic outside of my address space being legitimate on my
network. No. The only traffic outside my address space allowed on my
network (if I allowed it at all) would be pre-arranged addresses. If this
is the case, your scenario above would be included.
This is a policy statment that should be clearly defined by each ISPs
routing policy. "I only route my packets unless otherwise arranged". If
another ISP connects to me, I will give them an address range, or, if they
have their own address range, I will route that. Routing of non-portable
address space will only be made under special circumstances. yada yada
You get the idea. If you err on the side of security, you keep everything
closed until you have to open it up. Just like a firewall. This way you
KNOW what is being passed and what will be allowed to be passed when you
setup the connection to the customer.
If you have and have always had egress filtering, then there is no problem
when setting up a new customer. If you add it after the fact, you have to
be very careful and explain to the customer why it needs to be there.
If everyone edge network on the Internet did egress filtering, we wouldn't
have the problem of spoofed packets today. Period. It's that simple.
Flames are welcome. :-)
Tim Winders, MCSE, CNE, CCNA
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336
Phone: 806-894-9611 x 2369
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OSF1)
Comment: Made with pgp4pine 1.75-6
-----END PGP SIGNATURE-----