Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Steve Francis
steve at expertcity.com
Mon Mar 8 19:48:11 UTC 2004
Christopher L. Morrow wrote:
>>2. I've not seen large networks talking about their awful
>> experiences with SAV.
>>
>>
>>
>it melts routers, good enough for you? Specifically it melts linecards :(
>my experience is only on Cisco equipment though, so the linecard/ios/rev
>games must be played. If you upgrade, or initially install, E3 cards a
>large portion of this care is not necessary though. This is a problem that
>could be migrated out as new equipment/capabilities hit everyone's
>networks. I suspect that market pressure will push things in this
>direction anyway over time.
>
>
>
That was exactly what I was doing by saying I will only get service from
ISPs that run loose-uRPF in cores. (or all edges, including peering links.)
I will not take service from ISP X, who is cheaper than ISP Y, if ISP X
cannot assure me that I will not get bogon sourced traffic on my link.
What you are saying above is not a technical argument against uRPF (as
you grant that there is equipment that will do uRPF at core speeds.) -
its a business one. So I am giving you a business incentive to take to
your managers. "Customers want this service which we cannot deliver w/o
upgrades. Customers will not give us money unless we spend this money,
and they will go to our competitors who have infrastructure that can do
it." If your vendors cannot deliver equipment that meets your
requirements to meet your customers' needs, you need to say the same
thing to your vendors, and vote with dollars for those that can.
More information about the NANOG
mailing list