North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Source address validation (was Re: UUNet Offer New Protection
On Sun, 7 Mar 2004, Paul Vixie wrote: > in the therefore-unreal world i live in, the ability to tell a GWF ("goober > with firewall") that the incident report they sent our noc could not possibly > have come from here, is a net cost savings over having to prove it every time. Of course, some people claim large networks say that anyway so there is not net cost savings :-) In practice, GWF's do not send reports to noc's about packets which could not have possibly have come from here. They send reports about packets which have our IP addresses, but didn't originate here. The last thing you want to admit is you do SAV because GWF think SAV means every packet with that source address must have originated here. Whether or not we do SAV or everyone else does SAV, it doesn't save any time validating if a packet stream originated here. Did the packet actually originate here, or did SAV fail somewhere and it originated somewhere else? Dear NOC, 22.214.171.124 is attacking me. Prove it isn't. Rinse, Lather, Repeat. Maybe you got hacked in the last 5 seconds, and now you really are attacking them.