North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: John M. Brown
  • Date: Tue Oct 08 14:52:27 2002

It seems to reason that if people started filtering RFC-1918 on 
their edge, we would see a noticable amount of traffic go away.

Simulation models I've been running show that an average of 12 to 18 percent
of a providers traffic would disappear if they filtered RFC-1918 sourced
packets.   The percentage ranges scale with the size of the provider.
Smaller providers, less impact, larger providers more impact.

In addition to the bandwidth savings, there is also a support cost
reduction and together, I believe backbone providers can see this
on the bottom line of their balance sheets.

We have to start someplace.  There is no magic answer for all cases.

RFC-1918 is easy to admin, and easy to deploy, in relative terms compared
to uRPF or similar methods.

For large and small alike it can be a positive marketing tool, if properly
implemented.


john brown


On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
> 
> On Tue, 8 Oct 2002, Joe Abley wrote:
> > What is difficult about dropping packets sourced from RFC1918 addresses
> > before they leave your network?
> >
> > I kind of assumed that people weren't doing it because they were lazy.
> 
> I've checked the marketing stuff of several backbones, as far as I could
> tell only one makes the blanket statement about source address
> validation on their entire network.
> 
> http://www.ipservices.att.com/backbone/techspecs.cfm
> 
>    AT&T has also implemented security features directly into the backbone.
>    IP Source Address Assurance is implemented at every customer
>    point-of-entry to guard against hackers. AT&T examines the source
>    address of every inbound packet coming from customer connections to
>    ensure it matches the IP address we expect to see on that packet. This
>    means that the AT&T IP Backbone is RFC2267-compliant.
> 
> What backbones do 100% source address validation?  And how much of it is
> real, and how much is marketing? On single-homed or few-homed stub
> networks its "easy."  But even a moderately complex transit network it
> becomes "difficult."  Yes, I know about uRPF-like stuff, but the router
> vendors are still tweaking it.
> 
> If there is a magic solution, I would love to hear about it.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
> 
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
> 
>