North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Source address validation (was Re: UUNet Offer New ProtectionAgainst DDoS)
- From: E.B. Dreger
- Date: Sun Mar 07 22:05:25 2004
SD> Date: Sun, 7 Mar 2004 21:24:44 -0500 (EST)
SD> From: Sean Donelan
SD> This confirms my statement. You save nothing by deploying
SD> SAV on your network. There may be some indeterminate benefit
Unless, of course, the traffic originated from your network and
it simplifies your backtrace. Tracing flows isn't difficult, but
it's more time consuming than a traceroute.
SD> at some indeterminate time in the future after everyone else
SD> in the world correctly implements SAV. But there is no way
SD> to verify if every other network in the world has correctly
SD> deployed SAV. Even if everyone deploys SAV/uRPF you never
s/SAV/AS_PATH filtering and netblock adverts/ in your above
statement. While technically true, it's highly disingenuous.
Should providers quit filtering those simply because not everyone
does it? It's extra cost with no selfish benefit, right?
If you want a network to extend that courtesy to you, extend it
to them. If you extend the courtesy to them, demand it in
SD> know when someone may misconfigure something, so you still
SD> have to keep doing everything you were doing.
Perhaps on a lesser scale, though. There's benefit in knowing
something did not originate from certain sources.
SD> In the mean time, you get to pay for the extra costs for
SD> deploying SAV/uRPF in addition to doing everything you were
SD> already doing.
Just like AS_PATH and netblock announcement filters. Just like
flow monitoring. Just like chasing down spammers. Just like
dealing with "pwned" systems. Just like most anything else that
wouldn't be necessary in a perfect world.
Also note various posters' interest in shifting costs to
responsible parties. One can argue what is "reasonable", but
consequences boost motivation. Perhaps if lack of certain
precautions were considered [legally] negligent, failure would be
the more expensive option.
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses :
firstname.lastname@example.org -or- email@example.com -or- firstname.lastname@example.org
Sending mail to spambait addresses is a great way to get blocked.