Who does source address validation? (was Re: what's that smell?)
John M. Brown
john at chagresventures.com
Tue Oct 8 18:50:10 UTC 2002
It seems to reason that if people started filtering RFC-1918 on
their edge, we would see a noticable amount of traffic go away.
Simulation models I've been running show that an average of 12 to 18 percent
of a providers traffic would disappear if they filtered RFC-1918 sourced
packets. The percentage ranges scale with the size of the provider.
Smaller providers, less impact, larger providers more impact.
In addition to the bandwidth savings, there is also a support cost
reduction and together, I believe backbone providers can see this
on the bottom line of their balance sheets.
We have to start someplace. There is no magic answer for all cases.
RFC-1918 is easy to admin, and easy to deploy, in relative terms compared
to uRPF or similar methods.
For large and small alike it can be a positive marketing tool, if properly
implemented.
john brown
On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
>
> On Tue, 8 Oct 2002, Joe Abley wrote:
> > What is difficult about dropping packets sourced from RFC1918 addresses
> > before they leave your network?
> >
> > I kind of assumed that people weren't doing it because they were lazy.
>
> I've checked the marketing stuff of several backbones, as far as I could
> tell only one makes the blanket statement about source address
> validation on their entire network.
>
> http://www.ipservices.att.com/backbone/techspecs.cfm
>
> AT&T has also implemented security features directly into the backbone.
> IP Source Address Assurance is implemented at every customer
> point-of-entry to guard against hackers. AT&T examines the source
> address of every inbound packet coming from customer connections to
> ensure it matches the IP address we expect to see on that packet. This
> means that the AT&T IP Backbone is RFC2267-compliant.
>
> What backbones do 100% source address validation? And how much of it is
> real, and how much is marketing? On single-homed or few-homed stub
> networks its "easy." But even a moderately complex transit network it
> becomes "difficult." Yes, I know about uRPF-like stuff, but the router
> vendors are still tweaking it.
>
> If there is a magic solution, I would love to hear about it.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
>
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
>
>
More information about the NANOG
mailing list