dsl providers that will route /24

John Fraizer nanog at Overkill.EnterZone.Net
Fri Mar 30 08:50:12 UTC 2001


On Thu, 29 Mar 2001, David Schwartz spewed:

> 	If they were spoofed, they wouldn't have to because we'd already be
> investigating. And even if they're not spoofed, you can't know they're not
> spoofed, so there's no way to know you got the right person.


WTF?:  Yes we CAN tell if they're spoofed.  It's easy.  If EVERYONE stops
peering with and listening to announcements from dumb@$$ operators who
refuse to implement PREVENTATIVE measures.  It's just that simple.  Modify
peering and transit agreements to include a "If you're a dumbass, we shut
your silly ass off!" clause.

David, don't bank on peering or obtaining transit from ANYONE that I have
ANY influence on.

> 	Well that's the real problem. Every attack is potentially
> spoofed and there are no good tools for dealing with spoofed attacks.
> Filtering doesn't solve either of those two problems.

They are ONLY potentially spoofed because there are STILL lame operators
like yourself out there that refuse to implement PREVENTATIVE MEASURES!


> 	Again, no. A unicast UDP flood can do just as much damage. So
> filters do not reduce the damage.

How's that?  The last time I checked, my "are you a customer" filters
worked against both TCP and UDP.  It sounds like you're just LAZY.  Do you
mind if I quote you to the next reporter who calls?

> > And until we get a really good solution, a really good workaround is not
> > letting spoofed packets into your network from your customers.
> 
> 	Exactly -- the problem is there's no good way to tell a spoofed
> packet from an unspoofed packet. Some form of source authentication
> would solve that.

Um, David... Do you actually READ the list or do you just randomly
reply?  Here's a clue for you.

1) Require that your customers notify you of any source addresses that
they'll be using *PRIOR* to allowing them through.  Tunneling is MUCH more
rare than spoofing.

2) Require that your customers (BGP speakers) register their networks in
RADB or whichever database you choose.  (Don't worry.  From the sounds of
it, NONE of us want your customers...the spoofing b@$tard$...and as such,
we're not really interested in who they are beyond filtering them.)

> 	DS

..still not going there.


---
John Fraizer
EnterZone, Inc






More information about the NANOG mailing list