dsl providers that will route /24

Wed Mar 28 23:37:46 UTC 2001


> No, no, no.  You are erring on the side of openness, rather than on the
> side of security.

	Exactly! And that's the crux of the issue here.

	We are not talking about a firewall. We are not talking about a military
installation. We are talking about our customers, and we should be taking an
'innocent until proven guilty' approach with them whenever it is reasonably
possible to do so.

	There are some cases where it certainly isn't possible to do so. BGP route
filtering is a great example. An unfiltered connection could allow a
misconfigured customer to do massive amounts of damage very quickly. That's
not tolerable.

> If you do have a root compromise and someone is able to send out spoofed
> packets from that system on your network, how are you supposed to know?
> If you are not filtering spoofed packets, you have no way to know there
> there is anything going wrong on your network.

	Perhaps youa re using the term "filtering" differently from the way I am.
When I say "filtering", I'm referring to blocking. Logging and analyzing is
wonderful. Filtering is neutral (can be good or bad depending upon many
factors).

> As far as traffic outside of my address space being legitimate on my
> network.  No.  The only traffic outside my address space allowed on my
> network (if I allowed it at all) would be pre-arranged addresses.  If
> this
> is the case, your scenario above would be included.

	This is a level of service issue. If you want, you can coerce your
customers to pre-arrange what IPs they can use on your service. This may
make things harder for their customers, but you can do it if you want to.
Fine with me, I don't care. (But think long and hard before coercing your
customers into an arrangement you yourself couldn't live with.)

	I think you misunderstand me. I don't oppose source address filtering.
Heck, you can shut off your customers from 9 AM to 12 PM if you want to and
if they agree to it. That's a level of service issue between you and your
customers.

	I'll go one further -- if you're not going to investigate suspicious
traffic (because it's too expensive or you're too lazy or whatever), it's
probably better that you filter than not. At least that way you might
minimize the damage done to others, and that's certainly a good thing.

	I don't have a problem with filtering traffic that can't possibly be
legitimate. If you're one of those people who agrees that packets with
RFC1918 source IPs have no place on the Internet, then filter that. You can
even advocate that others filter it, because it has no possibility of
blocking legitimate traffic.

	What I do oppose is militant filtering advocacy where those filters will
filter out legitimate traffic. ISP's should not feel coerced into "erring on
the side of security" by filtering their customer's possibly legitimate
traffic when there are reasonable alternatives. In this case, there is --
allow, analyze, follow up, filter if and where neccessary.

	What I also oppose is advocacy of filtering that claims that filtering
fixes the problem. It doesn't, it just minimizes the damage. Hiding the fact
that a misconfigured firewall is leaking packets with inside IPs or the fact
that a machine has been root compromised (or worse, that the actual admin
likes to launch DoS attacks) ultimately harms everyone.

	Another problem with the belief that ingress source address filtering is
the ultimate solution to the problem of spoofed packets is that it makes it
too easy to ignore the fact that there really is a problem. After all, if
filtering solves the problem perfectly, there's no need to work on a
solution, all you have to do is militantly insist that everyone filter. On
the other hand, if there's a general understanding that filtering is only
one possible solution that has problems of its own, perhaps they'll continue
to work on much better solutions.

	DS