IAB concerns against permanent deployment of edge-based filtering

Jun-ichiro itojun Hagino itojun at itojun.org
Sat Oct 18 00:13:29 UTC 2003


IAB concerns against permanent deployment of edge-based filtering


The IAB notes that there ISPs/ASes undertaking permanent deployment of
edge-based protocol number/port number packet filtering on traffic
received from eBGP peers.

As a short term response to security incidents this is a prudent
operational measure that limits the spread of various forms of attack, and
also mitigates some level of risk associated with network vulnerabilities.
For example, many ISPs installed temporary filters in response to a July
2003 security advisory for CISCO routers (
http://www.cert.org/advisories/CA-2003-15.html). In the case of this
incident PIM (protocol # 103) and mobile-ip4 (55) packets could trigger
the vulnerability. The operational community responded with widespread
deployment of filters at AS borders for these protocol numbers.  Because
of this, PIM and mobile-ip4 no longer work across such AS borders.

The IAB is concerned about the practice of the permanent deployment of
such traffic filters, since this could block the operation of certain
applications in current use, as well as limiting the potential for
deployment of future applications. Such filters ultimately limit
extensibility of the Internet protocol as well as the Internet itself.

It is an entirely appropriate and operationally prudent response to filter
at the AS border as a short term mitigation of various network
vulnerabilities. However, filters at AS borders do not provide any more
than a relatively short term mitigation, and certainly do not solve the
real problem of eliminating all forms of exploitation of such
vulnerabilities. Over time knowledge of a vulnerability spreads across
the network and potential exploiters of a vulnerability will be within an
ISP/AS as well as being on the outside. The only stable and appropriate
longer term operational response is to upgrade network equipment to
eliminate the vulnerability, rather than attempting to configure packet
filters intended to prevent externally located third parties from
exploiting it.

While short term traffic filters are deployed, the appropriate recommended
longer term action is to:

- To install filters to detect packets that are directed to the router
   itself to protect the router. (do not filter traffic that goes through
   the routers).

- To update router firmware to a version known to eliminate the
   vulnerability

Regards,

Jun-ichiro itojun Hagino, on behalf of IAB (iab at ietf.org)



More information about the NANOG mailing list