North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ARIN to Allocate from 64.0.0.0/8

  • From: Richard Steenbergen
  • Date: Wed Nov 10 13:39:58 1999

On Wed, Nov 10, 1999 at 12:01:54PM -0500, Kai Schlichting wrote:
> 
> At 11:50 AM 11/10/99 -0500, Richard A Steenbergen <[email protected]> wrote:
> 
> >I might almost be happy, except this breaks the oh-so-nice filter of
> >64.0.0.0/2 at borders (effectively reduces random src spoofed attacks
> >by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
> 
> One line becomes two in your ACL ? 
> ip permit 64.0.0.0/8
> ip deny 64.0.0.0/2 
> 
> The CPU loss for one more ACL line is probably offsetting the gains of
> spoofed traffic pretty well. That will even scale for a little while,
> at least for /9 and /10 in the permit line, before you seriously have
> to think about how much still-unallocated space you will gratutiously allow
> through your ACL.

Reality is its not that simple. If you are doing any other filters that
might catch on 64.0.0.0/8, you'll need to drop those lines down to the
end. Besides the obvious goal of cutting spoofed traffic, one of the
primary uses of this kind of filter (for myself at any rate) is to save
CPU when dealing with small packet high packet/sec random src attacks.
Its not the end of the world, but its annoying and does not help
matters any. *grumble*

-- 
Richard A Steenbergen <[email protected]>   http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA