North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: dsl providers that will route /24
- From: John Payne
- Date: Fri Mar 30 00:38:43 2001
On Thu, Mar 29, 2001 at 07:46:44PM -0800, Steve Noble wrote:
> On Thu, Mar 29, 2001 at 10:14:54PM -0500, Greg A. Woods wrote:
> > Filtering illegal source addresses, and monitoring your filters, will
> > eliminate *all* possibility of being the source of a spoofed DoS against
> > someone else. Absolutely, positively, guaranteed. No ifs, ands, or
> > buts. There really is no valid excuse any more for not doing it.
> Other then software limitations, routers and switches which can't handle
> this kind of load, the inability to always know what packets are spoofed.
If a global transit free network can ingress filter all of their customers,
without CPU or other logistic problems, I'd be surprised if the majority
of ISPs on this list can't do otherwise. OK, if you're UUNET and providing
connectivity to a load of ISPs, you might not be able to filter those
customers, but you can require that they filter their customers.
> > > Exactly -- the problem is there's no good way to tell a spoofed packet from
> > > an unspoofed packet. Some form of source authentication would solve that.
> > Every packet with a source address that's not assigned to the customer
> > who it is arriving from *IS* a spoofed packet, regardless of *why* it
> > has an errant address. They must all be filtered regardless of content
> > or purpose! The sooner your customers realise their configuration
> > errors, the better (and the happier they'll be!).
> Now that's a very broad statment that's just not true. There are reasons
> that packets with a source address not assigned to an ISP may come across
> the link and be valid, look at DirectPC.
"Apart from the address block we've assigned you, will you be using
addresses in netblocks of other providers? For example, you might
have a connection to another ISP, or you might be using DirectPC"
> Past that if the customer has customers who have blocks assigned from other
> providers, this becomes a huge and almost impossible to manage real-time
> list. Big filter lists hit router cpu's, and cost human time. And remember
> this isn't like filtering BGP customers where if the route doesn't get
> through it's not always a big deal, you are _dropping_ packets that may
> be valid.
And the CPU cost is tiny. Netflow switching reduces it even more.
John Payne http://www.sackheads.org/jpayne/ firstname.lastname@example.org
http://www.sackheads.org/uce/ Fax: +44 870 0547954
To send me mail, use the address in the From: header