North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: dsl providers that will route /24
- From: Charles Sprickman
- Date: Wed Mar 28 22:21:20 2001
On Wed, 28 Mar 2001, David Schwartz wrote:
> We are not talking about a firewall. We are not talking about a military
> installation. We are talking about our customers, and we should be taking an
> 'innocent until proven guilty' approach with them whenever it is reasonably
> possible to do so.
What's wrong with writing it into the contract that you only let packets
pass out of their network with source addresses that you've assigned them?
You could also state that you will let other networks out as they see fit.
> There are some cases where it certainly isn't possible to do so.
> BGP route filtering is a great example.
Yes, so is filtering packets with forged source addresses.
> An unfiltered connection could
> allow a misconfigured customer to do massive amounts of damage very
> quickly. That's not tolerable.
Note how this applies to filtering source IPs.
> Perhaps youa re using the term "filtering" differently from the
> way I am. When I say "filtering", I'm referring to blocking. Logging
> and analyzing is wonderful. Filtering is neutral (can be good or bad
> depending upon many factors).
OK, so one of your customers, who is being 'watched' but not filtered has
all 30 of his Linux boxes rooted. He then proceeds to launch a massive
DOS attack against me.
I guess you'd notice this when it's convenient? Or do you have an
intricate log-watching utility that will page you out of bed.
I can't call you, because I don't know where the traffic is really coming
> This is a level of service issue. If you want, you can coerce your
> customers to pre-arrange what IPs they can use on your service. This may
> make things harder for their customers, but you can do it if you want to.
> Fine with me, I don't care. (But think long and hard before coercing your
> customers into an arrangement you yourself couldn't live with.)
If they know enough to be talking BGP with two providers, they likely know
enough to tell you what the IPs they are announcing are.
Why is it such a big deal to simply put "sanity filters" on?
This argument seems to be drawn between 'those who've been attacked from
a non-filtered connection' and 'those who haven't been attacked by same'.