Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: dsl providers that will route /24

  • From: John Fraizer
  • Date: Fri Mar 30 05:56:23 2001

On Fri, 30 Mar 2001, David Schwartz wrote:

> 
> 	I won't play your name calling game.

Name calling?  I don't play games.  I label as I see fit however.  If it
fits, which it obviously did, deal with it or FIX YOUR PROBLEM.

> 
> > WHAT?  If something comes from a customer that doesn't match your filters
> > for that customer you DROP IT!  IT'S THAT SIMPLE!  Inconvenience for ONE
> > customer or ONE customer's customers is MUCH less or a problem than your
> > customer (or customer's customer) sending traffic from unauthorized
> > address space!
> 
> 	What the heck does that have to do with anything we're discussing? We
> weren't talking about what you do with it, we were talking about whether you
> could tell if it was spoofed or not.

Um, the last time I checked, we were talking about spoofed packets.  It
has EVERYTHINH to do with that.

> 
> > (1)You use address space provided by (your company) or: (
> >
> > 2)You use address space that you have PROOF (whois.arin.net, etc) that you
> > are authorized to use.
> >
> > (3)Any packets sourced from address space not fitting the above two
> > critiria will be DROPPED!
> 
> 	Okay, so you have a filter that checks with ARIN? Or does your
> filter, *surprise* have no way to tell whether a packet is spoofed or
> not.

No. I've got better.  Check this out.
http://www.isi.edu/ra/RAToolSet/RtConfig.html

Wow!  It will build filter sets based on registered objects!  What a
^&(#&#*( concept!


> 
> > It's that simple.  Believe it or not, MOST _REAL_ providers use police
> > very close to what I have outlined.
> 
> 	I'm not talking about that. I'm talking about whether it's
> possible for a filter to tell whether a packet is spoofed or not.

Yes!  It is!  If you build  your filters based on what IP addresses you
know should be sourced from Customer-X, you *CAN* know and filter spoofed
packets.

It all comes down to this.

Do you announce it?  yes?  You should probably accept traffic to/from it.

You DON'T announce it?  Well.. In that case, you've got one of two things
going on:

(1) Customer-X is spoofing
(2) Customer-X isn't announcing address space to you that they're going to
be originating traffic from.

In EITHER case, if CUSTOMER-X hasn't made prior arrangement (and you with
your upstreams and them with theirs) the traffic is going to be dropped
SOMEWHERE anyway because you won't have a route object for it in the irrd.

 
> > > > 	Regardless of whether I filter or not, the fact remains that a
> > > filter can't tell a spoofed packet from an unspoofed packet.
> 
> > Yes you can.  You know what the customer is assigned and what they have
> > told you they will be sourcing from.  It's EASY to build a filter to
> > match.
> 
> 	Yes, it's easy to build a filter to match. I never said it
> wasn't. However, the filter will simply determine whether a packet
> matches the list of IP address you know the customer is authorized to
> use. It can't actually tell if a packet is spoofed or not.
> 

OK.   Check this concept out.  If the customer isn't authorized to use the
address space, AND THEY ARE......

IT'S SPOOFED -- BOGUS -- BAD -- BAD -- BAD!!!!!


> 	Get it?
> 

I got it years ago, Son.  Do YOU get it or are we all wasting our time
trying to educate the terminally ignorant?

> 	A spoofed packet is one that's introduced to the Internet and didn't
> originate from a machine whose administration is authorized to source that
> IP on the global Internet. No filter can establish where a packet actually
> originated, so no filter can tell that. Okay? Get it? A filter cannot
> determine whether or not a packet is spoofed.
> 

Huh?  If they're authorized to originate the packet, they TELL YOU and you
VERIFY THAT and you open your filters up for them to DO SO!  If NOT, you
NIX IT!

Check this out.  YOUR INGRESS FILTER, if YOU'RE their connection to the
global internet, or ONE of their connections to the global internet, can
tell if where the packet originated from!  It's filtering THEIR
CONNECTION!  Do we have to take up a collection to buy you some clue or
what?


> 	Believe me, if a filter really could tell whether a packet was
> spoofed or not, the problem of ending spoofing would be much, much
> simpler.

The problem is SIMPLE.

It's just two simple steps.

INGRESS filter your customers.

Everyone does that, we have a FEW rogues (you fit that mold) to
filter/blackhole/disconnect.


> > > 	Obviously, I was talking about an unspoofed flood. I mention UDP
> > > because most unspoofed floods (at least, that I've seen) are UDP. It's
> > > the easiest flood to launch if you haven't root compromised a box.
> >
> > David, the only obvious thing here is that you're either clueless or
> > criminally negligent.  (Both may be true.)  The above example has no
> > bearing on this discussion.  We're talking (at least those of us with
> > clue) about filtering packets sourced from address space that is not
> > assigned to or OK'd to be used by "customer X".
> 
> 	And the point I'm trying to make is that an unspoofed attack can
> do just as much damage as a spoofed attack. So stopping spoofing may
> or may not reduce the damage an attack does. It all depends upon how
> long it takes you to stop the attack at its source.
> 

Stopping spoofing brings ready accountability to the networks that are
actually ORIGINATING the attacks and reduces the time involved in tracking
them down.

When we KNOW it's not spoofed, we can track the REAL SOURCE down REAL
QUICK!  How can you be so ignorant to this fact and still possess the
mental faculties required to type?

> > 14649 eh?  Why doesn't the high number surprise me?
> >
> > 161.211.0.0/16
> >
> > How did you fall into a /16 being so clueless?
> 
> 	That's the provider for the particular machine I'm sitting at at
> 2 in the morning. I have no connection to them (except that I'm a
> customer).

Oh. OK.  So you don't ever run a network and I've wrongfully malligned
someone who most likely has a ^&*# clue?  Everyone who is associated with
AS14649 and 161.211.0.0/16, I'm sorry.  Once again, I've been duped into
thinking I was replying to someone who actually RAN A ^%#*& NETWORK just
because they managed to subscribe to NANOG and NANOG-POST.  We _REALLY_
need to get more stringent subscription requirements for NANOG-POST.

> 
> 	DS
> 

Wouldn't be prudent and you probably wouldn't understand it if I did.


---
John Fraizer
EnterZone, Inc







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.