North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Who does source address validation? (was Re: what's that smell?)
IMHO, it's not too bad if you do it at your edges. Explicit permits for valid source addrs is a well-known defense against source spoofing which of course also addresses the RFC1918 leakage issue to some degree. It's not that hard to incorporate this into customer installation and support processes. A lot more difficult to manage at the borders. > -----Original Message----- > From: [email protected] [mailto:[email protected]]On Behalf Of > Sean Donelan > Sent: Tuesday, October 08, 2002 10:09 AM > To: Joe Abley > Cc: Kelly J. Cooper; [email protected] > Subject: Who does source address validation? (was Re: what's that > smell?) > > > > On Tue, 8 Oct 2002, Joe Abley wrote: > > What is difficult about dropping packets sourced from RFC1918 addresses > > before they leave your network? > > > > I kind of assumed that people weren't doing it because they were lazy. > > I've checked the marketing stuff of several backbones, as far as I could > tell only one makes the blanket statement about source address > validation on their entire network. > > http://www.ipservices.att.com/backbone/techspecs.cfm > > AT&T has also implemented security features directly into the backbone. > IP Source Address Assurance is implemented at every customer > point-of-entry to guard against hackers. AT&T examines the source > address of every inbound packet coming from customer connections to > ensure it matches the IP address we expect to see on that packet. This > means that the AT&T IP Backbone is RFC2267-compliant. > > What backbones do 100% source address validation? And how much of it is > real, and how much is marketing? On single-homed or few-homed stub > networks its "easy." But even a moderately complex transit network it > becomes "difficult." Yes, I know about uRPF-like stuff, but the router > vendors are still tweaking it. > > If there is a magic solution, I would love to hear about it. > Unfortunately, the only solutions I've seen involve considerable work and > resources to implement and maintain all the "exceptions" needed to do 100% > source address validation. > > Heck, the phone network still has trouble getting the correct Caller-ID > end-to-end. > >
|