North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Source address validation (was Re: UUNet Offer New ProtectionAgainst DDoS)
CLM> Date: Mon, 8 Mar 2004 01:32:51 +0000 (GMT) CLM> From: Christopher L. Morrow CLM> in a perfect world yes[...] CLM> Until this is a default behaviour and you can't screw it up CLM> (ala directed-broadcast) this will be something we all have CLM> to deal with. Yes. But the only way we'll get there is 1) a flag day or 2) if we gradually work in that direction. CLM> it melts routers, good enough for you? Specifically it CLM> melts linecards :( :-( CLM> This is a problem that could be migrated out as new CLM> equipment/capabilities hit everyone's networks. I suspect CLM> that market pressure will push things in this direction CLM> anyway over time. ...and hopefully will be safe-by-default. Anyone who has multihomed downstreams should be clued enough to disable strict SAV as needed -- similar to, yet the opposite of, manually configuring OSPF to treat interfaces as passive by default. As for low-end routers, uRPF is supported on 26xx. I don't know about a 16xx or 25xx... a scary thought, but chances are such a router would have a very small list of reachable netblocks to check. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : firstname.lastname@example.org -or- email@example.com -or- firstname.lastname@example.org Sending mail to spambait addresses is a great way to get blocked.