Re: What were we saying about edge filtering?

North American Network Operators Group
Re: What were we saying about edge filtering?

From: Paul Vixie
Date: Thu Sep 04 12:42:46 2003
(i know i said i wouldn't comment on this, but that was yesterday.)

> > At the edge, very near the originating host there is no reason not to
> > filter these, if you find the sources you might consider asking them why
> > they didn't filter these for you...

i've asked.  answers are usually of the form "huh? what's that?" unless it's
a relatively smart person with the misfortune to be working at a bankrupt
backbone with short staff and no equipment budget in which case the answer
is some variation of "well that's fine at the edge but not in the core".  in
fact, see above :-).

> And what is the reason to not filter these in the backbone? Full spoof 
> protection at some levels is near impossible. However, bogon filtering 
> is not.

loose-rpf is a start.  none of the packets shown below came to me from a
peer or transit who runs loose-rpf in their backbone.  however, loose-rpf
only solves a small part of the source address ambiguity problem, since
the niks can still source their zwil from (other people's) routed cidr
blocks.  

with respect to the trace below, this is one f-root out of about 25, and
while we normally have to sanitize the source addresses of our traces before
we make them public, as you can see it's really not nec'y for this one:

#sfo2a.f:i386# tcpdump -n src net \( 10 or 172.16/12 or 192.168/16 \)
tcpdump: listening on fxp0
16:34:44.982330 172.20.1.1.3436 > 192.5.5.241.53:  4072[|domain]
16:34:45.027735 172.16.1.13.53 > 192.5.5.241.53:  21659 A? updatekeepalive.mcafee.com. (44)
16:34:45.053542 10.10.220.10.32769 > 192.5.5.241.53:  52143 NS? . (17) (DF)
16:34:45.084594 10.23.1.40.1024 > 192.5.5.241.53:  7932 NS? . (17)
16:34:45.832620 192.168.0.2.1133 > 192.5.5.241.53:  8690 A? g-images.amazon.com. (37)
16:34:45.837360 192.168.0.2.1133 > 192.5.5.241.53:  12795 A? g-images.amazon.com. (37)
16:34:45.841734 192.168.0.2.1133 > 192.5.5.241.53:  512 A? g-images.amazon.com. (37)
16:34:45.846085 192.168.0.2.1133 > 192.5.5.241.53:  6665 A? g-images.amazon.com. (37)
16:34:45.850969 192.168.0.2.1133 > 192.5.5.241.53:  12820 A? g-images.amazon.com. (37)
16:34:45.871451 192.168.0.63.1105 > 192.5.5.241.53:  84 PTR? 8.0.168.192.in-addr.arpa. (42)
16:34:45.924779 10.2.3.39.1030 > 192.5.5.241.53:  57 A? www.symantec.com. (34)
16:34:45.926582 10.2.3.39.1030 > 192.5.5.241.53:  6208 A? time-a.timefreq.bldrdoc.gov. (45)
16:34:45.931745 10.2.3.39.1030 > 192.5.5.241.53:  12361 A? time-a.timefreq.bldrdoc.gov. (45)
16:34:46.096376 192.168.1.113.32830 > 192.5.5.241.53:  18162 [1au] MX? networkoptservices.net. OPT  UDPsize=4096 (51) 
(DF)
16:34:46.098370 192.168.1.113.32830 > 192.5.5.241.53:  9520 MX? activision.info. (33) (DF)
16:34:46.801114 172.30.60.229.53 > 192.5.5.241.53:  1400 SOA? 150.118.162.in-addr.arpa. (42)
16:34:46.828786 192.168.104.10.1097 > 192.5.5.241.53:  1290 A? images.daemon.sh. (34)
16:34:46.830733 192.168.104.10.1097 > 192.5.5.241.53:  11542 A? images.daemon.sh. (34)
16:34:46.832704 192.168.104.10.1097 > 192.5.5.241.53:  1305 A? images.daemon.sh. (34)
16:34:46.833516 192.168.104.10.1097 > 192.5.5.241.53:  13600 A? images.daemon.sh. (34)
16:34:46.834898 192.168.0.2.1133 > 192.5.5.241.53:  10777 A? g-images.amazon.com. (37)
16:34:46.834905 192.168.104.10.1097 > 192.5.5.241.53:  15659 A? images.daemon.sh. (34)
16:34:46.839097 192.168.0.2.1133 > 192.5.5.241.53:  544 A? g-images.amazon.com. (37)
16:34:46.843399 192.168.0.2.1133 > 192.5.5.241.53:  552 A? g-images.amazon.com. (37)
16:34:46.848108 192.168.0.2.1133 > 192.5.5.241.53:  14902 A? g-images.amazon.com. (37)
16:34:46.853027 192.168.0.2.1133 > 192.5.5.241.53:  6718 A? g-images.amazon.com. (37)
16:34:46.898737 192.168.203.7.1111 > 192.5.5.241.53:  3150 A? microsoft.com.mailwell.com. (44)
16:34:46.900221 192.168.203.7.1111 > 192.5.5.241.53:  5206 A? microsoft.com.mailwell.com. (44)
16:34:46.926334 10.2.3.39.1030 > 192.5.5.241.53:  4182 A? www.symantec.com. (34)
16:34:46.926721 10.2.3.39.1030 > 192.5.5.241.53:  2143 A? www.symantec.com. (34)
16:34:47.018181 192.168.100.24.1102 > 192.5.5.241.53:  16356 A? sbasupport. (28)
16:34:47.828700 192.168.104.10.1097 > 192.5.5.241.53:  15668 A? rsthost1.ods.org. (34)
16:34:47.829026 192.168.104.10.1097 > 192.5.5.241.53:  5439 A? rsthost1.ods.org. (34)
16:34:47.892288 10.81.0.22.1069 > 192.5.5.241.53:  6014 SOA? 0.81.10.in-addr.arpa. (38)
16:34:47.905254 192.168.128.4.53 > 192.5.5.241.53:  614 PTR? 30.128.168.192.in-addr.arpa. (45)
16:34:47.919143 10.1.0.3.53 > 192.5.5.241.53:  26579 A? www.symantec.com. (34)
16:34:47.926353 10.2.3.39.1030 > 192.5.5.241.53:  12388 SOA? 12.2.10.in-addr.arpa. (38)
16:34:47.981405 172.20.1.1.3436 > 192.5.5.241.53:  8189[|domain]
^C
3205 packets received by filter
0 packets dropped by kernel
-- 
Paul Vixie
References:
- Re: What were we saying about edge filtering? Christopher L. Morrow
- Re: What were we saying about edge filtering? Jack Bates
Prev by Date: RE: ethernet-based temperature sensors
Next by Date: Re: What were we saying about edge filtering?
Date Index
Thread Index
Author Index
Historical