peering requirements (Re: DDOS anecdotes)
Hank Nussbacher
hank at att.net.il
Wed Jun 27 08:15:04 UTC 2001
At 14:52 26/06/01 -0700, Paul A Vixie wrote:
> > o source filtering at high bandwidth
>
>i consider this nonsoluable. some routers can already do it, but making the
>ownership and deployment of such routers be the minimum price of entry into
>the peering game is a fatal nonstarter of an idea. and the infrastructure
>for expressing netblock ownership in a way that could be used to build
>accurate and reliable filters (assuming the routers could load such filters
>and act on them at wire speed) isn't there. i think this way lies madness.
>
>source filtering is an edge problem, at current technology levels. but how
>to ensure that other people do it at THEIR edge is a separate problem from how
>to do it at YOUR edge. the former is social/economic, the latter is
>technical.
I have found a fairly easy way to make this start happening. When putting
out an RFI/RFP for some Internet connectivity/Web hosting/VPN/etc. - in
addition to putting in the obvious rtt minimums, SLAs, OC-48 backbones,
24x7 NOCs, etc. I have started to include the following:
- anti-spoofing source filtering
Even if the ISP can't do it - the sales and marketing people are now
driving the change process. The more RFI/RFPs that ISPs see that contain
such a mandatory section, the more the network will become a better place
to live. There are more than enough consultants/people on this list that
can drive this process very quickly.
-Hank
PS I also include "human response to abuse@ email within 24 hours" :-)
More information about the NANOG
mailing list