North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Network Operators and smurf

  • From: Robert Sanders
  • Date: Sun Apr 26 16:04:13 1998

>There isn't a simple knob, but then it isn't simple to know what a forgery
>is. You to have tell the router. 

That's what routing protocols are for, right? :-)  I thought I had read on
cisco-nsp that 11.1CC implemented the long-discussed feature of not
accepting packets from an interface unless the router held a route for the
source address of that packet back out that interface, but I can't find
that message now.  I wonder what that does to forwarding rates on VIP2s and
12000s.

>Or, another perhaps better way is to only accept packets from your customer
>networks which are sourced from those networks.  Each customer interface
>then has an inbound filter the blocks everything not sourced from your
>customers network.

As I told Jay, we have modified our RADIUS server to do exactly this on the
fly for 3com NETservers, 3com HiPer ARCs, and Bay 5399/8000s (and probably
any other Annexish box with RADIUS support).  This is great until you
accept routing information from one of your downstreams.  One might argue
that you shouldn't peer (or listen to RIP or OSPF) from a network that'll
carry spoofed packets, but I don't think that's practicable for the
Internet of today.  Not all the equipment is capable, not all the operators
are clueful, and there aren't enough incentives to change that overnight.

I won't even touch the issue of "legitimate spoofing" which rears its ugly
head in the telco return satellite and cable modem scenarios.  Strict
asymmetry does make things more complicated.

regards,
  -- Robert