North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Source address validation (was Re: UUNet Offer New ProtectionAgainst DDoS)
- From: E.B. Dreger
- Date: Sun Mar 07 21:05:51 2004
CLM> Date: Mon, 8 Mar 2004 01:32:51 +0000 (GMT)
CLM> From: Christopher L. Morrow
CLM> in a perfect world yes[...]
CLM> Until this is a default behaviour and you can't screw it up
CLM> (ala directed-broadcast) this will be something we all have
CLM> to deal with.
Yes. But the only way we'll get there is 1) a flag day or 2) if
we gradually work in that direction.
CLM> it melts routers, good enough for you? Specifically it
CLM> melts linecards :(
CLM> This is a problem that could be migrated out as new
CLM> equipment/capabilities hit everyone's networks. I suspect
CLM> that market pressure will push things in this direction
CLM> anyway over time.
...and hopefully will be safe-by-default. Anyone who has
multihomed downstreams should be clued enough to disable strict
SAV as needed -- similar to, yet the opposite of, manually
configuring OSPF to treat interfaces as passive by default.
As for low-end routers, uRPF is supported on 26xx. I don't know
about a 16xx or 25xx... a scary thought, but chances are such a
router would have a very small list of reachable netblocks to
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses :
firstname.lastname@example.org -or- email@example.com -or- firstname.lastname@example.org
Sending mail to spambait addresses is a great way to get blocked.