BCP38 making it work, solving problems
fred at cisco.com
Tue Oct 19 12:19:32 UTC 2004
At 01:11 PM 10/19/04 +0200, JP Velders wrote:
>As it was "in the old days": first clean up your own act and then start
>pointing at others that they're doing "it" wrong.
hear hear... But Paul knows and in fact does that. He is pointing out the
difficulty of getting people to do basic things that are for their own
For example, how many ISPs use TCP MD5 to limit the possibility of a
BGP/TCP connection getting hijacked or disrupted by a ddos attack? But this
has been in the code since ~1990, and was put there because of a fairly
serious and specific attack that was made on Internet routing, and benefits
primarily the ISP that enables the procedure in that it knows that its
routes are coming to it from systems it has chosen to trust.
Ingress filters help the ISP that installs them, in that a certain class of
attacks are prevented among customers of the ISP. Would it be better if all
ISPs and all edge networks put appropriate filters in place? Absolutely.
But even if they do not, the ISP saves itself that much trouble.
Where ingress filters don't help, of course, is when the attacks come from
an apparently-legitimate address. Then we are off to other tools.
More information about the NANOG