North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DoS attacks, NSPs unresponsiveness

  • From: Joe Shaw
  • Date: Fri Nov 03 17:33:34 2000

On Fri, 3 Nov 2000, John Fraizer wrote:

> You can ALWAYS increase security.  You may not be able to do it the way
> you want but, you can always do it in some shape or form.

I wholeheartedly agree.  And you have to balance functionality against
security, but I believe a happy compromise is generally available.

> If they're filtering on the /19 or /20 boundry on legacy space, they're
> VERY misconfigured and breaking a whole bunch of connectivity.

I thought filtering at /19-/20 space was still considered best common
practice by some of the older Tier 1's who were interested in keeping the
routing tables small.  Maybe with less legacy equipment deployed this
isn't an issue anymore.

> OK.  Try this one on.  You're announcing 89K prefixes to customer
> X.  They're seeing the same 89K prefixes from another provider too.  They
> don't want ANY incoming traffic via their connection from you.  They do
> however preference routes to ASX, ASY and ASZ via your connection.  What's
> the best way for them to do this?  Don't announce to you and route-map
> those routes to X Y and Z to be preferred.

Wouldn't it be better, at least from an engineering standpoint, to still
announce their routes with AS padding to increase the AS-path so in the
event their other connection(s) goes down they still have some type of
inbound connectivity?  It seems like your example would work in a best
case scenario, but customer X would drop off of the planet in the event of
a partial outage without some manual reconfiguration.  I did something
similar to what you are suggesting, but we still announced the routes,
with padding, so that in the event of a failure the network could still
function.  The link did fail eventually (would you believe me if I
mentioned there was a backhoe and a contractor involved?), and while the
network was certainly slower than normal, it continued to function
adequately so that there was no perceivable outage seen by our customers.

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named because I
don't speak for them here.  I have public opinions, and they don't.