Who does source address validation? (was Re: what's that smell?)

Thu Oct 10 16:59:10 UTC 2002

On Thu, Oct 10, 2002 at 06:36:33PM +0200, Iljitsch van Beijnum wrote:
> So what then if someone runs a secure tunnel over wireless over a PPPoE
> over ADSL using mobile IPv6 that runs over a tunnel or two ad nauseum
> until the headers get bigger than 374 bytes? Then you'll have your problem
> right back. Might as well really solve it the first try.

	This is a problem that would be solved by everyone being
responsible and doing pmtud properly.

> One of the problems is that there is no generally agreed on and widely
> available set of rules for this stuff. Setting the DF bit on all packets
> isn't good, but it works. Using RFC1918 space to number your tunnel
> routers isn't good, but it works. Filtering validating source addresses on
> ingress is good, but hey, it doesn't work!

	I think we're starting to get at the heart of the problem
but let me stick my neck out and say it:

	Registries (APNIC, ARIN, RIPE, usw) charge for ip addresses.
be it via a lease/registration fee, it's a per-ip charge that ISPs must
get via some means out of their subscribers.  (Unless people
don't care about money that is).  Back in the "days", one could
obtain ip addresses from Internic saying "i will not connect
to internet", "i intend to connect at some later date in a
year or two .. (or similar)", "i intend to connect now".

	People number out of 1918 space primarily for a few
reasons, be them good or not:

	1) Internal use
	2) Cost involved.. nobody else needs to telnet to my p2p
links but me, and i don't want to pay {regional_rir} for my
internal use to reduce costs
	3) "security" of not being a "publicly" accessible
network.

	This can break many things, pmtu, multicast and various
streaming (multi)media applications.

	With the past scare of "we'll be out of ip addresses by 199x"
still fresh in some peoples memories, they in their good consience decided
to also conserve ips via this method.

	The problem is not everyone today that considers themselves
a network operator understands all the ramifications of their current
practices, be they good or bad.

	Going into fantasy-land mode, if IPv6 addresses were instantly
used by everyone, people could once again obtain ips that could be
used for internal private use yet remain globally unique, therefore
allowing tracking back of who is leaking their own internal sources.


> Making a good list of best practices (and then have people widely
> implement them) might also go a long way towards showing concerned parties
> such as the US administration that the network community consists of
> responsible people that can work together for the common good.

	I agree here, I personally think that numbering your internal
links out of 1918 space is not an acceptable solution unless it's
behind your "natted" network/firewall and does not leak out.

	Perhaps some of those that are the better/brighter out there want
to start to write up a list of "networking best practices".

	Then test those "book smart" ccie/cne types with the information
to insure they understand the ramifications.  a few good whitepapers
about these might be good to include or quiz folks on.  i suspect
there's only a handful of people that actually understand the complete
end-to-end problem and all the ramifications involved as it is quite
complicated.

> > But if the best reason we can
> > come up with is ISIS, the IEEE will just keep laughing.
> 
> Why is the IEEE laughing?

	The implication is that IEEE will not change the 802.x specs
to allow larger [default] link-local mtu due to legacy interop
issues.  imagine your circa 1989 ne2000 card attempting to process
a 4400 byte frame on your local lan.  a lot of the "cheap" ethernet
cards don't include enough buffering to handle such a large frame
let alone the legacy issues involved.. and remember the enterprise
networks have a far larger number of ethernet interfaces deployed
than the entire internet combined * 100 at least.  any change
to the spec would obviously affect them also.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.