filtering 1918 (was Re: Summary with...: Domain Name System ...)

Jared Mauch jared at puck.nether.net
Wed Aug 18 22:12:38 UTC 2004


On Wed, Aug 18, 2004 at 05:31:47PM -0400, Richard A Steenbergen wrote:
> 
> On Wed, Aug 18, 2004 at 02:18:32PM -0700, David A. Ulevitch wrote:
> > 
> > 
> > <quote who="Richard A Steenbergen">
> > 
> > > Is it really enough traffic that you, as a root server operator, can't
> > > just suck it up and deal? Sure there are going to be a few folks who are
> > > misconfigured, but I can't imagine that it is enough to cause operational
> > > issues.
> > 
> > No, no operational issues at all from RFC1918 space....
> > 
> > http://www.as112.net/  (just to drop the most well documented example...)
> 
> That looks like a 1918 issue to me... Lets be clear about the difference 
> between a DNS query for 1918 space and a DNS query sources from 1918 space 
> which can never be returned too.
> 
> Yes I'm sure it is annoying, but the questions are:
> 
> How much EXTRA load does it really place on the rootservers?
> Is it really so much load that you can't just chalk it up to a normal 
> part of the service being provided?
> 
> Or to put it another way:
> 
> How much computing power would I need to buy you so that I never have to 
> hear complaints about queries from 1918 space on a mailing list again? :)

	Let me put it the ultimate way:

	How many routers, linecards, configs, etc.. need to be
upgraded to insure that there is source address validation.

	I want to insure that every packet I deliver to my
end-customers is from a real host on the other side.  Even if it's
0wned, i want to pass that packet until such time as our
security team is notified and works to mitigate it.

	We (AS2914) attempt to insure that packets our customers pass
to our network are from address space they are registered/authorized
to pass.

	I know that AT&T (AS7018) does this as well with their
customers.

	Anyone that isn't working on this (even slowly) is helping
contribute to part of the problem/mess of rfc1918 sourced packets leaking
to the internet.

	While there is a cost on operators of services (eg: Paul/ISC
in f.root ops), it's not just the 1918 sourced packets you should
be worried about, it's the people spoofing others ips...  While
enabling u-rpf in one of our pops, i was watching what sources were
coming in on the links to insure that we were not dropping
the wrong packets, or the customers didn't need to really source
packets from those ranges.. a lot of machines were spewing packets
from random ips on the other side of the world (europe, asia) that should
not have been coming from machines in the US behind some random T1 customer..

Router#deb ip cef drops ?  
  rpf     Packets dropped by CEF Unicast RPF

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the NANOG mailing list