Source address validation (was Re: UUNet Offer New Protection Against DDoS)

• Previous message (by thread): Source address validation (was Re: UUNet Offer New Protection
• Next message (by thread): Source address validation (was Re: UUNet Offer New Protection Against DDoS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SD> Date: Sun, 7 Mar 2004 21:24:44 -0500 (EST)
SD> From: Sean Donelan


SD> This confirms my statement.  You save nothing by deploying
SD> SAV on your network.  There may be some indeterminate benefit

Unless, of course, the traffic originated from your network and
it simplifies your backtrace.  Tracing flows isn't difficult, but
it's more time consuming than a traceroute.


SD> at some indeterminate time in the future after everyone else
SD> in the world correctly implements SAV.  But there is no way
SD> to verify if every other network in the world has correctly
SD> deployed SAV.  Even if everyone deploys SAV/uRPF you never

s/SAV/AS_PATH filtering and netblock adverts/ in your above
statement.  While technically true, it's highly disingenuous.
Should providers quit filtering those simply because not everyone
does it?  It's extra cost with no selfish benefit, right?

If you want a network to extend that courtesy to you, extend it
to them.  If you extend the courtesy to them, demand it in
return.


SD> know when someone may misconfigure something, so you still
SD> have to keep doing everything you were doing.

Perhaps on a lesser scale, though.  There's benefit in knowing
something did not originate from certain sources.


SD> In the mean time, you get to pay for the extra costs for
SD> deploying SAV/uRPF in addition to doing everything you were
SD> already doing.

Just like AS_PATH and netblock announcement filters.  Just like
flow monitoring.  Just like chasing down spammers.  Just like
dealing with "pwned" systems.  Just like most anything else that
wouldn't be necessary in a perfect world.

Also note various posters' interest in shifting costs to
responsible parties.  One can argue what is "reasonable", but
consequences boost motivation.  Perhaps if lack of certain
precautions were considered [legally] negligent, failure would be
the more expensive option.


Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
          DO NOT send mail to the following addresses :
  blacklist at brics.com -or- alfra at intc.net -or- curbjmp at intc.net
Sending mail to spambait addresses is a great way to get blocked.

• Previous message (by thread): Source address validation (was Re: UUNet Offer New Protection
• Next message (by thread): Source address validation (was Re: UUNet Offer New Protection Against DDoS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]