|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: On the back of other 'security' posts....
On maandag, sep 1, 2003, at 20:58 Europe/Amsterdam, Terry Baranski wrote: the rest of the paper is also germane to this thread. just fya, we keep rehashing the UNimportant part of this argument, and never progressing. (from this, i deduce that we must be humans.) I think we can use wording a little stronger than this. Allowing invalid (for that customer) prefixes or source addresses has the potential to cause significant problems.Ok, so we seem to have a general agreement that anti-spoof & BGP prefix filtering on all standard customer edge links is a worthwhile practice. Now what? Is there any hope of this ever happening on a very largeWell, one thing that would work well if one or more of the large networks start doing it: de-peer if you see this kind of stuff from your peers. I enabled access-list 123 deny ip 192.168.0.0 0.0.255.255 any log-input on an interface towards an internet exchange, and I got a significant number of hits, most notably from several large cable ISPs. Obviously this is going to happen much faster as soon as someone figures out that if you have your own high-capacity global network, you're in a relatively good position to clean up DoS for your customers on a structural basis and thus charge more per Mbit.
|