dsl providers that will route /24

Tim Winders twinders at SPC.cc.tx.us
Wed Mar 28 21:50:48 UTC 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 28 Mar 2001, David Schwartz wrote:

> > On Tue, 27 Mar 2001 15:18:08 PST, David Schwartz said:
> > > 	The problem is, the filter will block legitimate traffic.
> > > IP does not
> > > provide any sure way to tell a spoofed packet from an unspoofed packet.
>
> > Hmm.. if I *know* that my customer has a single-homed /24, and I see a
> > packet come in from his /24 that has a source address outside that /24,
> > there's a *pretty* *good* chance that something squirrely is going on.
>
> 	Right. However, it's also entirely possible that the traffic is
> legitimate. Consider, for example, a sub-customer migrating between
> two ISPs each with static IPs who currently has them both up.
>
> 	The optimum approach is to investigate it, determine if it's
> legitimate or not, and act appropriately. The lazy approach is to
> filter it and if it's legitimate, wait for the customer to complain.
> The worst possible approach is to ignore it (either filtering it or
> not) and hope that if it is a serious problem, the customer will fix
> it themself.
>
> 	The filtering advocates don't seem to particularly care whether
> the problem is fixed or not. What they're missing is that filtering is
> simply a 'level of service' issue. What's a security and community
> issue is that root compromises and misconfigurations that threaten
> others be detected and repaired. Filters can't do that.

No, no, no.  You are erring on the side of openness, rather than on the
side of security.

If you do have a root compromise and someone is able to send out spoofed
packets from that system on your network, how are you supposed to know?
If you are not filtering spoofed packets, you have no way to know there
there is anything going wrong on your network.

As far as traffic outside of my address space being legitimate on my
network.  No.  The only traffic outside my address space allowed on my
network (if I allowed it at all) would be pre-arranged addresses.  If this
is the case, your scenario above would be included.

This is a policy statment that should be clearly defined by each ISPs
routing policy.  "I only route my packets unless otherwise arranged".  If
another ISP connects to me, I will give them an address range, or, if they
have their own address range, I will route that.  Routing of non-portable
address space will only be made under special circumstances. yada yada
ya."

You get the idea.  If you err on the side of security, you keep everything
closed until you have to open it up.  Just like a firewall.  This way you
KNOW what is being passed and what will be allowed to be passed when you
setup the connection to the customer.

If you have and have always had egress filtering, then there is no problem
when setting up a new customer.  If you add it after the fact, you have to
be very careful and explain to the customer why it needs to be there.

If everyone edge network on the Internet did egress filtering, we wouldn't
have the problem of spoofed packets today.  Period.  It's that simple.

=== Tim

Flames are welcome.  :-)

     **********************************************
        Tim Winders, MCSE, CNE, CCNA
        Associate Dean of Information Technology
        South Plains College
        Levelland, TX  79336

        Phone:	806-894-9611 x 2369
        FAX:	806-894-1549
        Email:	TWinders at SPC.cc.tx.us
     **********************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OSF1)
Comment: Made with pgp4pine 1.75-6

iEYEARECAAYFAjrCXLsACgkQTPuHnIooYbyPIACgoqTCfd0oEkeZkmct7PmYxBt0
BjgAoK8QMTR2+MR8gm+f4a4EZFpW9vT2
=PqMy
-----END PGP SIGNATURE-----






More information about the NANOG mailing list