NSPs and filters

Mon Jul 14 15:41:46 UTC 1997

Jon Lewis <jlewis at inorganic5.fdt.net> writes:

> A certain minimal level of network security should be a part of any
> responsible network.  

Out of curiosity, do you yourselves do source-based IP
filtering at all your edges?  (Dialups, dedicated
customers, gateways to your own PeeCee/Workstation gear,
and so on and so forth)

I don't disagree with you: everyone *ought* to filter out
bogus source addresses, and this *ought* to happen as
close to the edge as possible, so that a reasonable "tree
of trust" would assist in tracking down where any given
source-spoofing attack could *not* be coming from.

Without this "tree of trust", the farther away you get
from the valid origin of any given prefix, the less reliable
your decision to filter or not filter a packet that claims
to be originated there will be.

This gets awkward for large providers, since they probably
don't want to cause outages to customers or customers'
customers, or customers' customers' customers...

On the other hand, in a purely PA-addressed Internet, this
is very simple, so much so that filtering could even be
done on very large amounts of traffic, even without
routers which are specifically designed with source-based
filtering in mind.  

However, once again the addressing shortcomings of IPv4
(and these are duplicated in IPv6) get in the way of
building a scalable, reliable, secure Internet without
involving NAT devices.

> Somewhere in the internet food chain, it is
> very much practical to install filters, and someone needs to make sure
> they are in place.

Yes: if from your perspective you are certain that a
particular interface should only generate source addresses
within a certain prefix, or conversely you can guarantee
that the only valid source for packets originated with
that prefix is across a particular interface or small set
of interfaces, then building safety-providing filters that
do not cause unwanted disconnectivity is easy.

The problem is in the certainty...

	Sean.