Source address validation (was Re: UUNet Offer New Protection Against DDoS)
Steve Francis
steve at expertcity.com
Mon Mar 8 22:06:25 UTC 2004
Sean Donelan wrote:
>On Mon, 8 Mar 2004, Steve Francis wrote:
>
>
>>That was exactly what I was doing by saying I will only get service from
>>ISPs that run loose-uRPF in cores. (or all edges, including peering links.)
>>
>>I will not take service from ISP X, who is cheaper than ISP Y, if ISP X
>>cannot assure me that I will not get bogon sourced traffic on my link.
>>
>>
>
>Why do you care how a provider does X?
>
>Your requirement doesn't seem to be run loose-uRPF in cores, although that
>may be one way a provider chooses to solve the problem. You requirement
>is "not get bogon sourced traffic on your link."
>
>I know its tempting to tell other people how to run their networks. But
>specifying the solution sometimes cuts out alternative solutions which
>work just as well or maybe better.
>
>
Correct. I was overstating my requirement.
What I really want is as you described: I want assurance that any packet
I receive on my proposed circuit is NOT sourced from a patently false IP
address. (i.e. no packets sourced from reserved IP addresses, RFC 1918
IP addresses; addresses from blocks not yet allocated by routing
registries, or addresses from blocks that are not currently
being announced via BGP to the Internet.)
I would also prefer that such packets be dropped as far as possible from
the POP I am connected to, to minimise the chance of such packets
overloading the carriers circuits into that POP.
I know of no way to do this other than loose-uRPF in the core, or at
least loose-uRPF on all edges, including peering connections.
Can any of the operators that are arguing against loose-uRPF in the core
state if they run loose uRPF on all peering connections, regardless of
speed, as well as on all their edges?
Or propose another way to achieve the same thing?
More information about the NANOG
mailing list