On the back of other 'security' posts....

Matthew Crocker matthew at crocker.com
Sun Aug 31 11:28:24 UTC 2003


>
> As I'v said many times (so have a few others, more now than before) you
> have to define the 'edge' first... My definition is: "as close to the 
> end
> system as possible". For instance the LAN segment seems like the ideal
> place, its where there is the most CPU per packet, with the most simple
> routing config and most predictable traffic patterns/requirements.
>

The 'edge' is the last piece of equipment on your network.  It is what 
connects you to your customer and what connects you to your upstreams.  
Every ISP should put Anti spoofing filters on ALL edge interfaces.  My 
entire customer edge (dialup,ISDN,DSL, T1, FR, ATM, Wireless, colo) is 
defined in LDAP/RADIUS.  When a session is established my edge 
equipment configures itself over RADIUS.  It isn't hard to use that 
information to build a customer specific filter for the session.  For 
example,  Every dialup (PPP) or DSL (PPPoE) session should have a 
filter which *only* allows packets sourced from the customer IP in.  It 
should also deny packets coming from the customer out to the customer.  
It is pretty simple to do this but you do need to maintain proper 
customer records.  Your customer edge is his equipment and they should 
also put anti-spoof filters in line.  Security is not a single point on 
a map.  Security must be established on every interface.  Most people 
say that you can't filter an OC-48 at line speeds, or that it will 
increase the latency too much.   If filtering increases latency by 5% 
but decreases junk traffic by 20% don't you think you and the network 
are better off?  For true redundancy for dual-homed sites the links 
shouldn't be running above 40% capacity anyway.  If your router can't 
filter at 40% line speed you need another router.  I know in the core 
it gets much more complex but when I connected my Verio link I had to 
make sure all of my IRR entries were correct.  They already filter my 
BGP prefixes I would assume they filter my IP as well.  I know I filter 
my outbound to make sure it is only coming from me.

>> such packets from ever getting past their edge routers.  If edge
>> filtering isn't considered a "reasonably simple" thing to do, I'd like
>> to hear the reasons why.
>
> its not tough, you just have to define the edge in the right way.

The edge is everywhere and the more specific you get the more specific 
your filters can be.  In the core you can't be very specific.  We have 
a bunch of routes that we announce (/16, 2 x /21, 3 x /24).  It 
wouldn't be hard for my upstreams to filter my traffic.  I already have 
to notify them (via IRR) when I have a new announcement.  They can 
update my filter when they update the prefix-list

-Matt

>




More information about the NANOG mailing list