North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
It seems to reason that if people started filtering RFC-1918 on their edge, we would see a noticable amount of traffic go away. Simulation models I've been running show that an average of 12 to 18 percent of a providers traffic would disappear if they filtered RFC-1918 sourced packets. The percentage ranges scale with the size of the provider. Smaller providers, less impact, larger providers more impact. In addition to the bandwidth savings, there is also a support cost reduction and together, I believe backbone providers can see this on the bottom line of their balance sheets. We have to start someplace. There is no magic answer for all cases. RFC-1918 is easy to admin, and easy to deploy, in relative terms compared to uRPF or similar methods. For large and small alike it can be a positive marketing tool, if properly implemented. john brown On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote: > > On Tue, 8 Oct 2002, Joe Abley wrote: > > What is difficult about dropping packets sourced from RFC1918 addresses > > before they leave your network? > > > > I kind of assumed that people weren't doing it because they were lazy. > > I've checked the marketing stuff of several backbones, as far as I could > tell only one makes the blanket statement about source address > validation on their entire network. > > http://www.ipservices.att.com/backbone/techspecs.cfm > > AT&T has also implemented security features directly into the backbone. > IP Source Address Assurance is implemented at every customer > point-of-entry to guard against hackers. AT&T examines the source > address of every inbound packet coming from customer connections to > ensure it matches the IP address we expect to see on that packet. This > means that the AT&T IP Backbone is RFC2267-compliant. > > What backbones do 100% source address validation? And how much of it is > real, and how much is marketing? On single-homed or few-homed stub > networks its "easy." But even a moderately complex transit network it > becomes "difficult." Yes, I know about uRPF-like stuff, but the router > vendors are still tweaking it. > > If there is a magic solution, I would love to hear about it. > Unfortunately, the only solutions I've seen involve considerable work and > resources to implement and maintain all the "exceptions" needed to do 100% > source address validation. > > Heck, the phone network still has trouble getting the correct Caller-ID > end-to-end. > >
|