North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: router worms and International Infrastructure

  • From: Pekka Savola
  • Date: Thu Sep 22 01:42:08 2005

On Wed, 21 Sep 2005, Christopher L. Morrow wrote:
On Wed, 21 Sep 2005, Pekka Savola wrote:
Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your
friend, even on multihomed/asymmetric links.
So, say I'm a large consumer broadband ISP, and I made the decision some
years ago to use net-10 as my infrastructure space? How does 'feasible
path' help block 10.x.x.x sources exactly?
Sorry, I don't understand the context to see the problem.

If you use 10.x.x.x internally in your backbone, you're fine because that cruft shouldn't be coming at your direction from the customers.

If you also use 10.x.x.x to assign addresses to the CPE boxes (which is what I think you're saying), the customer can only spoof one /30 from 10/8 (or whatever has been assigned on the CPE and/or the point-to-point link).

You may also consider using uRPF at the CPE box to disallow the customer from spoofing anything in that infrastructure space (particularly the /30).

At your borders (upstream/peers), you will naturally block all of 10/8 at egress.

While uRPF might or might not be sufficient to protect *your* infrastructure from worms (if the customer happens to spoof "just the right way"), it should be useful in preventing spoofing affecting others' infrastructure.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings