[Update] Re: New ISP to market, BCP 38, and new tactics

Steve Bertrand steve at ibctech.ca
Wed Feb 4 08:52:25 UTC 2009


> On 4/02/2009, at 2:43 PM, Steve Bertrand wrote:
>
>> Nathan Ward wrote:
>>> On 4/02/2009, at 2:33 PM, Steve Bertrand wrote:
>>>
>>>> - Currently, (as I write), I'm migrating my entire core from IPv4 to
>>>> IPv6. I've got the space, and I love to learn, so I'm just lab-ing
>>>> it up
>>>> now to see how things will flow with all iBGP v4 routes being
>>>> advertised/routed over v6.
>>>
>>>
>>> Don't advertise v4 prefixes in v6 sessions, keep them separate.

This entire discussion went off topic, in regards to bcp and filtering.

Off-list, I had someone point out:

http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02

...which is EXACTLY in line with what my end goal was originally, and by
reading it, I feel as if I was getting there free-hand. This document
helps standardize things a bit, and I will follow it to a certain degree,
whether or not it is considered under the standards track, or IANA
considers approving the request for the BGP Extended Communities
Attribute.

What really spooks me after the last week of research, is how easy it
would be for a client under my control (or hosts under control of an
attacker) to stage/originate an inconspicuous attack (to anywhere), using
standard IDS insertion/evasion tactics (even via a tunnel) from hosts
within a network bordering my AS.

Just by manually viewing logs of ingress traffic, there are just too many
holes.

We're too small to mitigate a bandwidth-saturating attack inbound, but I
can guarantee that I will ensure to the best of my ability that our
network won't be part of any form of attack on yours.

Thank you everyone, for all of the off, and on-list feedback.

Steve





More information about the NANOG mailing list