router worms and International Infrastructure
Pekka Savola
pekkas at netcore.fi
Thu Sep 22 05:39:23 UTC 2005
On Wed, 21 Sep 2005, Christopher L. Morrow wrote:
> On Wed, 21 Sep 2005, Pekka Savola wrote:
>> Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your
>> friend, even on multihomed/asymmetric links.
>
> So, say I'm a large consumer broadband ISP, and I made the decision some
> years ago to use net-10 as my infrastructure space? How does 'feasible
> path' help block 10.x.x.x sources exactly?
Sorry, I don't understand the context to see the problem.
If you use 10.x.x.x internally in your backbone, you're fine because
that cruft shouldn't be coming at your direction from the customers.
If you also use 10.x.x.x to assign addresses to the CPE boxes (which
is what I think you're saying), the customer can only spoof one /30
from 10/8 (or whatever has been assigned on the CPE and/or the
point-to-point link).
You may also consider using uRPF at the CPE box to disallow the
customer from spoofing anything in that infrastructure space
(particularly the /30).
At your borders (upstream/peers), you will naturally block all of 10/8
at egress.
While uRPF might or might not be sufficient to protect *your*
infrastructure from worms (if the customer happens to spoof "just the
right way"), it should be useful in preventing spoofing affecting
others' infrastructure.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list