North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: peering requirements (Re: DDOS anecdotes)

  • From: Hank Nussbacher
  • Date: Wed Jun 27 03:19:24 2001 
At 14:52 26/06/01 -0700, Paul A Vixie wrote:
> o source filtering at high bandwidth

i consider this nonsoluable. some routers can already do it, but making the
ownership and deployment of such routers be the minimum price of entry into
the peering game is a fatal nonstarter of an idea. and the infrastructure
for expressing netblock ownership in a way that could be used to build
accurate and reliable filters (assuming the routers could load such filters
and act on them at wire speed) isn't there. i think this way lies madness.

source filtering is an edge problem, at current technology levels. but how
to ensure that other people do it at THEIR edge is a separate problem from how
to do it at YOUR edge. the former is social/economic, the latter is technical.
I have found a fairly easy way to make this start happening. When putting out an RFI/RFP for some Internet connectivity/Web hosting/VPN/etc. - in addition to putting in the obvious rtt minimums, SLAs, OC-48 backbones, 24x7 NOCs, etc. I have started to include the following:

- anti-spoofing source filtering

Even if the ISP can't do it - the sales and marketing people are now driving the change process. The more RFI/RFPs that ISPs see that contain such a mandatory section, the more the network will become a better place to live. There are more than enough consultants/people on this list that can drive this process very quickly.

-Hank

PS I also include "human response to [email protected] email within 24 hours" :-)