router worms and International Infrastructure

Pekka Savola pekkas at netcore.fi
Thu Sep 22 05:39:23 UTC 2005


On Wed, 21 Sep 2005, Christopher L. Morrow wrote:
> On Wed, 21 Sep 2005, Pekka Savola wrote:
>> Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your
>> friend, even on multihomed/asymmetric links.
>
> So, say I'm a large consumer broadband ISP, and I made the decision some
> years ago to use net-10 as my infrastructure space? How does 'feasible
> path' help block 10.x.x.x sources exactly?

Sorry, I don't understand the context to see the problem.

If you use 10.x.x.x internally in your backbone, you're fine because 
that cruft shouldn't be coming at your direction from the customers.

If you also use 10.x.x.x to assign addresses to the CPE boxes (which 
is what I think you're saying), the customer can only spoof one /30 
from 10/8 (or whatever has been assigned on the CPE and/or the 
point-to-point link).

You may also consider using uRPF at the CPE box to disallow the 
customer from spoofing anything in that infrastructure space 
(particularly the /30).

At your borders (upstream/peers), you will naturally block all of 10/8 
at egress.

While uRPF might or might not be sufficient to protect *your* 
infrastructure from worms (if the customer happens to spoof "just the 
right way"), it should be useful in preventing spoofing affecting 
others' infrastructure.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the NANOG mailing list