North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Who does source address validation? (was Re: what's that smell?)
- From: Sean Donelan
- Date: Tue Oct 08 11:12:06 2002
On Tue, 8 Oct 2002, Joe Abley wrote:
> What is difficult about dropping packets sourced from RFC1918 addresses
> before they leave your network?
> I kind of assumed that people weren't doing it because they were lazy.
I've checked the marketing stuff of several backbones, as far as I could
tell only one makes the blanket statement about source address
validation on their entire network.
AT&T has also implemented security features directly into the backbone.
IP Source Address Assurance is implemented at every customer
point-of-entry to guard against hackers. AT&T examines the source
address of every inbound packet coming from customer connections to
ensure it matches the IP address we expect to see on that packet. This
means that the AT&T IP Backbone is RFC2267-compliant.
What backbones do 100% source address validation? And how much of it is
real, and how much is marketing? On single-homed or few-homed stub
networks its "easy." But even a moderately complex transit network it
becomes "difficult." Yes, I know about uRPF-like stuff, but the router
vendors are still tweaking it.
If there is a magic solution, I would love to hear about it.
Unfortunately, the only solutions I've seen involve considerable work and
resources to implement and maintain all the "exceptions" needed to do 100%
source address validation.
Heck, the phone network still has trouble getting the correct Caller-ID