|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Internet SYN Flooding, spoofing attacks
IETF removed from the distribution list. On Fri, 11 Feb 2000, Paul Ferguson wrote: > >unicast RPF, but the best compromise is the built-in access filter. The > >solution must be general enough to work for multihomed, defaulting out > >customers with blocks from n providers, > > No, that is a common misconception, or rather, an overstatement of > a pretty easily described situation. It only breaks things in transit > situations, and only in transit situations where you might not have > the same forwarding path back to the source as you would via the same > interface a packet came in on. This is more common than you might believe. For Dialup and single homed, yes, this is not a problem in most cases. For a very large customer base, this problem does not scale all that well, especially for the large backbone carriers who are transiting a lot of traffic. As the internet grows more important to business, more and more people multihome. > This is a small percentage, I would thing, since the percentage of > ISP's offering transit pales in comparison to all other "access" > ISP's that do not. And in cases where ISP's _do_ offer transit, or > have transit agreements, will they really do this on their transit > interfaces? I think not. I think you're solving something else. I submit that almost _all_ isp's offer transit for their customers. Thats where the I part of the SP comes in. For _peering_ links (peering being defined elsewhere), yes, this is a hard problem, but on the edges of the _peers_, this is not. If everyone filtered their T1/DSx/OCx/E1/E3/STMx customers at their edges, using Unicast RPF where appropriate and filters where appropriate, life would become better. /vijay
|