North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: no ip forged-source-address

  • From: Tony Hain
  • Date: Wed Oct 30 12:31:33 2002

To reiterate the comment I made during the session yesterday, the places
where strict rpf will be most effective are at the very edge interfaces
without explicit management (SOHO). This also tends to be the place
where there is insufficient clue to turn it on. One hopes that in the
nanog community there is sufficient clue to recognize the case where
having it on will create a problem and turn it off.

This has been a case where money has been talking, and those with enough
clue to comment on it are saying they don't want it, while those that
really need it are not asking. If the community believes this technique
is the best tool for regaining visibility into where attacks are coming
from, there are two explicit steps to making it happen. First, demand
that all vendors make it the default. Second, be willing to turn it off
rather than simply complain that it doesn't work in the ISP network. 

Tony 


> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On 
> Behalf Of variable@ednet.co.uk
> Sent: Wednesday, October 30, 2002 8:21 AM
> To: nanog@nanog.org
> Subject: Re: no ip forged-source-address
> 
> 
> 
> On Wed, 30 Oct 2002, Daniel Senie wrote:
> 
> > BCP 38 is quite explicit in the need for all networks to do their 
> > part. The
> > document is quite effective provided there's cooperation.
> 
> Doesn't seem to be working.
>  
> > Which interface would you filter on?
> 
> Customer ingress ports on the ISP side, which I suspect are 
> the majority of ports in ISP networks.  Hopefully engineers 
> on the backbone will be clueful enough to turn it off.
> 
> > If we're talking about a router at the customer premesis, 
> the filters 
> > should be on the link to the ISP (the customer may well have more 
> > subnets internally). At the ISP end, doing the filtering 
> you suggest 
> > would not work, since it'd permit only the IP addresses of the link 
> > between the customer and user.
> 
> The routing table of the router should be used to build up a list of 
> prefixes that you should see through the interface.  In this way, you 
> could apply it to BGP customers too without having to create 
> filters by 
> hand.
> 
> Regards,
> 
> 
> Rich
>