North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dsl providers that will route /24

  • From: Steve Noble
  • Date: Thu Mar 29 22:52:44 2001

On Thu, Mar 29, 2001 at 10:14:54PM -0500, Greg A. Woods wrote:
> Filtering illegal source addresses, and monitoring your filters, will
> eliminate *all* possibility of being the source of a spoofed DoS against
> someone else.  Absolutely, positively, guaranteed.  No ifs, ands, or
> buts.  There really is no valid excuse any more for not doing it.

Other then software limitations, routers and switches which can't handle
this kind of load, the inability to always know what packets are spoofed.

> > 	Exactly -- the problem is there's no good way to tell a spoofed packet from
> > an unspoofed packet. Some form of source authentication would solve that.
> 
> Every packet with a source address that's not assigned to the customer
> who it is arriving from *IS* a spoofed packet, regardless of *why* it
> has an errant address.  They must all be filtered regardless of content
> or purpose!  The sooner your customers realise their configuration
> errors, the better (and the happier they'll be!).

Now that's a very broad statment that's just not true.  There are reasons
that packets with a source address not assigned to an ISP may come across
the link and be valid, look at DirectPC.

Past that if the customer has customers who have blocks assigned from other
providers, this becomes a huge and almost impossible to manage real-time
list.  Big filter lists hit router cpu's, and cost human time.  And remember
this isn't like filtering BGP customers where if the route doesn't get 
through it's not always a big deal, you are _dropping_ packets that may
be valid.

> Yes customers should do anti-spoofing filtering on both source and
> destination addresses too, but that does not in any way excuse any
> provider from doing likewise on *all* edge connections.

I'm guessing you talk to a lot of router vendors and listen to their
half-truths about their filtering abilities.  It's one thing to filter
one customer, it's another to filter hundreds of customers utilizing
hundreds or thousands of blocks on a single device, just the looking 
at the configuration becomes a nightmare.  Also there's a big difference
between an edge device pushing a few megs and one pushing many gigs
when it comes to any type of packet filtering. 

-- 
-------------------------------------------------------------------------------
: Steven Noble / Network Janitor / Be free my soul and leave this world alone :
:   My views = My views != The views of any of my past or present employers   :
-------------------------------------------------------------------------------