North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Who does source address validation? (was Re: what's that smell?)

  • From: Sean Donelan
  • Date: Tue Oct 08 11:12:06 2002

On Tue, 8 Oct 2002, Joe Abley wrote:
> What is difficult about dropping packets sourced from RFC1918 addresses
> before they leave your network?
>
> I kind of assumed that people weren't doing it because they were lazy.

I've checked the marketing stuff of several backbones, as far as I could
tell only one makes the blanket statement about source address
validation on their entire network.

http://www.ipservices.att.com/backbone/techspecs.cfm

   AT&T has also implemented security features directly into the backbone.
   IP Source Address Assurance is implemented at every customer
   point-of-entry to guard against hackers. AT&T examines the source
   address of every inbound packet coming from customer connections to
   ensure it matches the IP address we expect to see on that packet. This
   means that the AT&T IP Backbone is RFC2267-compliant.

What backbones do 100% source address validation?  And how much of it is
real, and how much is marketing? On single-homed or few-homed stub
networks its "easy."  But even a moderately complex transit network it
becomes "difficult."  Yes, I know about uRPF-like stuff, but the router
vendors are still tweaking it.

If there is a magic solution, I would love to hear about it.
Unfortunately, the only solutions I've seen involve considerable work and
resources to implement and maintain all the "exceptions" needed to do 100%
source address validation.

Heck, the phone network still has trouble getting the correct Caller-ID
end-to-end.