North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: Who does source address validation? (was Re: what's that smell?)
- From: Mark Borchers
- Date: Tue Oct 08 11:24:44 2002
IMHO, it's not too bad if you do it at your edges. Explicit
permits for valid source addrs is a well-known defense against
source spoofing which of course also addresses the RFC1918
leakage issue to some degree. It's not that hard to incorporate
this into customer installation and support processes.
A lot more difficult to manage at the borders.
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org]On Behalf Of
> Sean Donelan
> Sent: Tuesday, October 08, 2002 10:09 AM
> To: Joe Abley
> Cc: Kelly J. Cooper; email@example.com
> Subject: Who does source address validation? (was Re: what's that
> On Tue, 8 Oct 2002, Joe Abley wrote:
> > What is difficult about dropping packets sourced from RFC1918 addresses
> > before they leave your network?
> > I kind of assumed that people weren't doing it because they were lazy.
> I've checked the marketing stuff of several backbones, as far as I could
> tell only one makes the blanket statement about source address
> validation on their entire network.
> AT&T has also implemented security features directly into the backbone.
> IP Source Address Assurance is implemented at every customer
> point-of-entry to guard against hackers. AT&T examines the source
> address of every inbound packet coming from customer connections to
> ensure it matches the IP address we expect to see on that packet. This
> means that the AT&T IP Backbone is RFC2267-compliant.
> What backbones do 100% source address validation? And how much of it is
> real, and how much is marketing? On single-homed or few-homed stub
> networks its "easy." But even a moderately complex transit network it
> becomes "difficult." Yes, I know about uRPF-like stuff, but the router
> vendors are still tweaking it.
> If there is a magic solution, I would love to hear about it.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
> Heck, the phone network still has trouble getting the correct Caller-ID