Who does source address validation? (was Re: what's that smell?)

Iljitsch van Beijnum iljitsch at muada.com
Tue Oct 8 16:26:30 UTC 2002


There are two separate issues:

1. Making sure packets with falsified source addresses don't leave your
network

This can be done by having customer-specific filters on all
customer-facing interfaces. (And on interfaces connecting to any type of
hosts in case those are compromised.) Or use the plain and simple version
of uRPF, with just one caveat: when a BGP customer announces a route just
for backup, they can't use this route for outbound packets either until
their outer route disappears.

2. Making sure packets with falsified source addresses don't enter your
network

2a. Customers

See 1.

2b. Transit

Can't be done. (Well, you could filter traffic with source addresses from
peers that comes in over transit.)

2c. Peers

This is the part where straight uRPF doesn't work because of asymmetric
routing. However, it is possible to make this work by making every border
router always prefer its own external routes. This is easily accomplished
on Cisco routers by setting a higher weight for EBGP sessions.

No, it's not painless, and yes, it will break some weird stuff (one way
links, people legitimately sourcing packets but for strange reasons not
announcing the accompanying routes), but don't tell me it can't be done.

The catch-22 is that if you refuse to peer with people who don't do type 1
filtering so you don't have to implement 2c, you end up with the garbage
coming in over transit, where you can't filter it.




More information about the NANOG mailing list