BCP38 making it work, solving problems
bonomi at mail.r-bonomi.com
Wed Oct 13 02:53:51 UTC 2004
> From owner-nanog at merit.edu Tue Oct 12 20:41:45 2004
> Date: Wed, 13 Oct 2004 07:09:10 +0530
> From: Suresh Ramasubramanian <suresh at outblaze.com>
> To: alex at yuriev.com
> Cc: Steven Champeon <schampeo at hesketh.com>, nanog at merit.edu
> Subject: Re: BCP38 making it work, solving problems
> alex at yuriev.com [12/10/04 13:16 -0400]:
> > > If I, and my little 7-man company, can afford to have me solve the
> > > problem on our end, why the heck can't you do the same?
> > You can do it because you are a 7-man company. So can I. However, companies
> > the size of Sprint cannot do it.
> Most filtering that I've seen (email, router, whatever) that just works great
> for a 7 man company will not work when you serve several million users,
> that's a fact.
Certain _basics_ *are* applicable, regardless of scale.
e.g. perimeter filtering of inbound packets w/ RFC-1918 a _source_ address,
except for specific ICMP status/response messages.
e.g. perimeter filtering of inbound packets with a _source_ address that
is in *your* assigned address-space.
Some medium-big (and up) operators implement 'RFC-1918 source' filters on
their gateways to the 'external internet', but *not* on their customer
interfaces. Which means that one of their customers can be attacked via
such means, by *another* of their customers. And, after the fact, they
can't even tell =which= of their customers done the deed. Similarly,
one customer can 'spoof' another customer of that same provider.
> One false positive report per week from 7 users. How many per week - or per
> day - when you have 40 million users, is a question that gets answered real
> A lot of the bad filtering (or lack of filtering, for that matter) decisions
> I've seen at large network providers and ISPs is generally where they are
> also unresponsive to their users and to the internet community that reports
> stuff to them (quite a few places I could name where most role accounts seem
> to funnel straight to /dev/null)
More information about the NANOG