|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Defeating DoS Attacks Through Accountability
On Sat, 11 Nov 2000, Mark Mentovai wrote: > > Barry Raveendran Greene wrote: > >> I'll put it this way: filtering should be done against blocks that a > >> customer can announce, not against blocks that a customer is actively > >> announcing. If you're filtering purely against current advertisements, > >> you're bound to break something sooner or later. > > > >Good theory. But what one public source do all the ISP agree to validate the > >authority to announce? > > Regional IP address allocating bodies - in other words, ARIN. If you aren't > listed as responsible for the block in question, you should either have the > information updated (SWIP or rwhois) or obtain written authorization from a > representative of the organization controlling the block. It's far from > perfect because enthusiasm for providing accurate data via SWIP and rwhois > doesn't really exist as it should, but it's probably the best anyone can > come up with. Perhaps putting SWIP and rwhois data to a good use such as > this would increase awareness of it and cause the databases to become more > appropriately populated. > > Mark > > Filtering based on assigned/allocated address space should be the norm, not the exception. If a customer isn't listed in the ARIN database, or whichever RIR has authority for the address space in question, we won't accept announcements from them for that space, period, the end. If the entity who assigned/allocated the address space to them is unwilling to provide up-to-date information via SWIP/RWHOIS, we are very happy to point out to the customer how lazy/stupid/irresponsible that entity is and explain our reasons for not accepting announcements for said address space. We have run into some delays with providers when we obtained new address space and needed to announce it. The prefix-list filters that were in place said "I don't think so!" So, it took 20 mins to get someone with the authority to change the prefix-list on the phone and another 5 minutes for them to change the prefix-list and another 30 seconds for me to type "clear ip bgp NNNN soft out". It's a small price to pay for the peace of mind of knowing that in the event we misconfigure something, we're not going to leak transit routes, default, blah blah blah into the global routing table. --- John Fraizer EnterZone, Inc
|