|
|
You are hereHome » NANOG Meeting Presentation Abstract
|
|
NANOG Meeting Presentation Abstract
| IAB Concerns About Permanent Deployment of Edge-Based Filtering | | Meeting: | NANOG30 | |
| Date / Time: | 2004-02-10 11:25am - 11:40am | |
| Room: | Symphony Ballroom II - IV | |
| Presenters: | Speakers:
Itojun Hagino, IETF Internet Architecture BoardItojun is a member of the KAME project, which develops an IPv6/IPsec stack for *BSD UNIX variants. In the IETF, Itojun has been involved in IPv6 and security-related Working Groups such as IPsec, and contributed to various RFCs related to the IPv6 transition, operations, and the protocol itself. He has been a member of the IAB since March 2002. | |
| Abstract: | On October 17, 2003, the IETF\'s Internet Architecture Board (IAB) posted the following note to the NANOG list:
The IAB notes that there ISPs/ASes undertaking permanent deployment of
edge-based protocol number/port number packet filtering on traffic
received from eBGP peers.
As a short term response to security incidents this is a prudent
operational measure that limits the spread of various forms of attack, and
also mitigates some level of risk associated with network vulnerabilities.
For example, many ISPs installed temporary filters in response to a July
2003 security advisory for CISCO routers
(http://www.cert.org/advisories/CA-2003-15.html).
In the case of this
incident PIM (protocol # 103) and mobile-ip4 (55) packets could trigger
the vulnerability. The operational community responded with widespread
deployment of filters at AS borders for these protocol numbers. Because
of this, PIM and mobile-ip4 no longer work across such AS borders.
The IAB is concerned about the practice of the permanent deployment of
such traffic filters, since this could block the operation of certain
applications in current use, as well as limiting the potential for
deployment of future applications. Such filters ultimately limit
extensibility of the Internet protocol as well as the Internet itself.
It is an entirely appropriate and operationally prudent response to filter
at the AS border as a short term mitigation of various network
vulnerabilities. However, filters at AS borders do not provide any more
than a relatively short term mitigation, and certainly do not solve the
real problem of eliminating all forms of exploitation of such
vulnerabilities. Over time knowledge of a vulnerability spreads across
the network and potential exploiters of a vulnerability will be within an
ISP/AS as well as being on the outside. The only stable and appropriate
longer term operational response is to upgrade network equipment to
eliminate the vulnerability, rather than attempting to configure packet
filters intended to prevent externally located third parties from
exploiting it.
While short term traffic filters are deployed, the appropriate recommended
longer term action is to:
- To install filters to detect packets that are directed to the router
itself to protect the router. (do not filter traffic that goes through
the routers).
- To update router firmware to a version known to eliminate the
vulnerability
Regards,
Jun-ichiro itojun Hagino, on behalf of IAB ([email protected])
(See the posting and reponses at http://www.merit.edu/mail.archives/nanog/2003-10/msg01025.html).
The posting generated a certain amount of discussion, including questions about why the IAB is commenting on ISP operational issues, and whether or not ISPs should filter routes at eBGP routers. In this presentation, we will discuss the IAB\'s views on the importance of the Internet\'s extensibility/adaptability to new protocols, and the negative impact on extensibility of filtering at eBGP borders. | |
| Files: |  IAB Concerns About Permanent Deployment of Edge-Based Filtering
 Itojun Hagino Presentation(PDF)
| |
| Sponsors: | None. | |
Back to NANOG30 agenda. NANOG30 Abstracts- Making Sense of BGP
Speakers:
Tina Wong, Packet Design; Van JacobsonPacket Design; .Cengiz AlaettinogluPacket Design; .
- Making Sense of BGP
Speakers:
Tina Wong, Packet Design; Van JacobsonPacket Design; .Cengiz AlaettinogluPacket Design; .
- Making Sense of BGP
Speakers:
Tina Wong, Packet Design; Van JacobsonPacket Design; .Cengiz AlaettinogluPacket Design; .
- Real-time Global Routing Metrics
Speakers:
Jim CowieRenesys Corporation; .Andy T. OgielskiRenesys Corporation; .B.J. PremoreRenesys Corporation; .Eric A. SmithRenesys Corporation; .Todd UnderwoodRenesys Corporation; .
- Real-time Global Routing Metrics
Speakers:
Jim CowieRenesys Corporation; .Andy T. OgielskiRenesys Corporation; .B.J. PremoreRenesys Corporation; .Eric A. SmithRenesys Corporation; .Todd UnderwoodRenesys Corporation; .
- Real-time Global Routing Metrics
Speakers:
Jim CowieRenesys Corporation; .Andy T. OgielskiRenesys Corporation; .B.J. PremoreRenesys Corporation; .Eric A. SmithRenesys Corporation; .Todd UnderwoodRenesys Corporation; .
- Real-time Global Routing Metrics
Speakers:
Jim CowieRenesys Corporation; .Andy T. OgielskiRenesys Corporation; .B.J. PremoreRenesys Corporation; .Eric A. SmithRenesys Corporation; .Todd UnderwoodRenesys Corporation; .
- Real-time Global Routing Metrics
Speakers:
Jim CowieRenesys Corporation; .Andy T. OgielskiRenesys Corporation; .B.J. PremoreRenesys Corporation; .Eric A. SmithRenesys Corporation; .Todd UnderwoodRenesys Corporation; .
|
|
|
Media Releases
NANOG Meetings
