Source address validation (was Re: UUNet Offer New Protection Against DDoS)

Christopher L. Morrow christopher.morrow at mci.com
Mon Mar 8 01:32:51 UTC 2004


On Mon, 8 Mar 2004, E.B. Dreger wrote:

>
> SD> Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST)
> SD> From: Sean Donelan
>
>
> SD> SAV doesn't tell you where the packets came from.  At best
> SD> SAV tells you where the packets didn't come from.
>
> If SAV were universal, source addresses could not be spoofed.  If
> source addresses could not be spoofed...

in a perfect world yes, for today we still have LOTS of folks that
firewall in one direction only. A great example of this is the great
firewall of China :( How, if they are filtering every packet that leaves
their country, can I still get attacked from them? :(

Until this is a default behaviour and you can't screw it up (ala
directed-broadcast) this will be something we all have to deal with.

>
> SD> Have you noticed this thread is full of people who don't run
> SD> large networks saying other people who do run networks should
> SD> deploy SAV/uRPF.
>
> 1. SAV is most effective at the edge, which often implies the
>    smaller networks should be doing it

excellent, the original point of the conversation has been satisfied...
uRPF for the core is not a good plan, edge networks are a great place for
this. Doing this on single homed customers is a great step in the right
direction. However, as you say, the best place for this is on the edge of
the network. So this implies that each edge LAN router will/should have
uRPF or atleast an acl permitting only local LAN traffic to source from
it, right?

I have a question, I wonder if uRPF works on low end platforms without
running CEF? Do all low-end platforms gracefully support CEF along with
the other things enterprises typically do on routers? (just a question
really...)

>
> 2. I've not seen large networks talking about their awful
>    experiences with SAV.
>

it melts routers, good enough for you? Specifically it melts linecards :(
my experience is only on Cisco equipment though, so the linecard/ios/rev
games must be played. If you upgrade, or initially install, E3 cards a
large portion of this care is not necessary though. This is a problem that
could be migrated out as new equipment/capabilities hit everyone's
networks. I suspect that market pressure will push things in this
direction anyway over time.





More information about the NANOG mailing list