North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BCP38 making it work, solving problems

  • From: Michael.Dillon
  • Date: Thu Oct 14 06:50:41 2004

> At 12:01 PM 10/13/04 +0200, Iljitsch van Beijnum wrote:
> >Trusting the source when it says that its packets aren't evil might be 
> >sub-optimal. Evaluation of evilness is best left up to the receiver.
> Likely true. Next question is whether the receiver can really determine 
> that in real time. For some things, yes, but for many things it is not 
> obvious to me. 

Correct me if I'm wrong here, but my interpretation of this
suggestion was not that we should trust the source to mark
packets but that we should trust our peers to mark packets.

This seems to be something that is workable since most people
have a manageable number of peers. Presumably each peer could
mark the traffic based on what they know about their customer's
network. If a customer follows all best practices, they mark it
with the non-evil bit, otherwise not. If truly evil traffic is
coming in from a peer, then one could apply mitigating actions
only to traffic that is not marked non-evil, either blackholing
it all or diverting it to a router that will perform complex
filtering or heavily rate limiting it.

It seems to me that really addressing DDOS, botnets, etc., 
requires network operators to agree on some sort of common
coordinated action and using a network protocol to communicate
about this coordinated action would be very useful.

This doesn't mean that the non-evil bit is the only way,
but the idea of network operators marking traffic in some
way to indicate their level of confidence in its normality
seems to be worth pursuing. It seems to be the natural
progression of projects like the selection found at

--Michael Dillon