North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: icmp rpf
On Tue, Sep 26, 2006 at 12:17:27AM -0700, Tony Rall wrote: > > On Monday, 2006-09-25 at 10:09 MST, Mark Kent <email@example.com> > wrote: > > Mark Smith replied with two paragraphs, but it's not 100% clear to me > > that he got the reason why I asked. I asked because his initial > statement > > boiled down to "numbering on un-announced space breaks PMTUD"... > > but it doesn't, not by itself (which he later expanded). > > > > It only does so in the presence of filtering. > > Which is exactly what one might expect to happen. At least it seems to me > that RFC 3704 (BCP 84, http://www.ietf.org/rfc/rfc3704.txt) applies. > > When your traffic is sourced with dubious addresses, you should expect > much of it to disappear. And when this happens, you're hurting your > customers and your customers' customers (okay, sometimes it's "just" your > peer's customers - still a concern in my opinion). I think this is the critical point, dubious ip sources have been used/abused in the past and those at "big.net" that have done something to mitigate the risk to the world from their customers and their customers from the world are doing a "community service" imnsho ;). I don't see anyone here really advocating spoofed sources (except for perhaps the mobile-ip users out there ;) How many people here have rpf enabled by default on their customer CPE devices they ship? (in your template or whatnot) Do you u-rpf your dsl/cable/dial/fract-t1/t1 customers that are not doing bgp? It's hard to get this implemented across an entire network. At one time I seem to recall someone saying that 7018 was fully bcp-38 compliant, but I could be wrong. While doing u-rpf on your customers won't mitigate attacks against them, it will help mitigate the costs of tracking spoofed attacks across your network infrastructure (which is harder if you're doing mpls) that you incur. Now, i'm guessing i may be the one responsible for the practices of "big.net", but i do encourage other big.nets to enable u-rpf strict or loose wherever possible based on their equipment capabilities. Every little bit will help. - jared -- Jared Mauch | pgp key available via finger from firstname.lastname@example.org clue++; | http://puck.nether.net/~jared/ My statements are only mine.