Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Who does source address validation? (was Re: what's that smell?)

  • From: Mark Borchers
  • Date: Tue Oct 08 11:24:44 2002

IMHO, it's not too bad if you do it at your edges.  Explicit
permits for valid source addrs is a well-known defense against
source spoofing which of course also addresses the RFC1918
leakage issue to some degree.  It's not that hard to incorporate
this into customer installation and support processes.

A lot more difficult to manage at the borders.


> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Sean Donelan
> Sent: Tuesday, October 08, 2002 10:09 AM
> To: Joe Abley
> Cc: Kelly J. Cooper; nanog@merit.edu
> Subject: Who does source address validation? (was Re: what's that
> smell?)
>
>
>
> On Tue, 8 Oct 2002, Joe Abley wrote:
> > What is difficult about dropping packets sourced from RFC1918 addresses
> > before they leave your network?
> >
> > I kind of assumed that people weren't doing it because they were lazy.
>
> I've checked the marketing stuff of several backbones, as far as I could
> tell only one makes the blanket statement about source address
> validation on their entire network.
>
> http://www.ipservices.att.com/backbone/techspecs.cfm
>
>    AT&T has also implemented security features directly into the backbone.
>    IP Source Address Assurance is implemented at every customer
>    point-of-entry to guard against hackers. AT&T examines the source
>    address of every inbound packet coming from customer connections to
>    ensure it matches the IP address we expect to see on that packet. This
>    means that the AT&T IP Backbone is RFC2267-compliant.
>
> What backbones do 100% source address validation?  And how much of it is
> real, and how much is marketing? On single-homed or few-homed stub
> networks its "easy."  But even a moderately complex transit network it
> becomes "difficult."  Yes, I know about uRPF-like stuff, but the router
> vendors are still tweaking it.
>
> If there is a magic solution, I would love to hear about it.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
>
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
>
>





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.