On the back of other 'security' posts....
Iljitsch van Beijnum
iljitsch at muada.com
Tue Sep 2 07:44:15 UTC 2003
On maandag, sep 1, 2003, at 20:58 Europe/Amsterdam, Terry Baranski
wrote:
>> the rest of the paper is also germane to this thread. just
>> fya, we keep rehashing the UNimportant part of this argument,
>> and never progressing. (from this, i deduce that we must be humans.)
> Ok, so we seem to have a general agreement that anti-spoof & BGP prefix
> filtering on all standard customer edge links is a worthwhile practice.
I think we can use wording a little stronger than this. Allowing
invalid (for that customer) prefixes or source addresses has the
potential to cause significant problems.
> Now what? Is there any hope of this ever happening on a very large
> scale without somehow being mandated? (Not that it necessarily should
> be
> mandated.) How much success have Barry Green and co. had? Is there
> something the rest of us could be doing?
Well, one thing that would work well if one or more of the large
networks start doing it: de-peer if you see this kind of stuff from
your peers. I enabled
access-list 123 deny ip 192.168.0.0 0.0.255.255 any log-input
on an interface towards an internet exchange, and I got a significant
number of hits, most notably from several large cable ISPs.
Obviously this is going to happen much faster as soon as someone
figures out that if you have your own high-capacity global network,
you're in a relatively good position to clean up DoS for your customers
on a structural basis and thus charge more per Mbit.
More information about the NANOG
mailing list