ISP port blocking practice

• Previous message (by thread): ISP port blocking practice
• Next message (by thread): ISP port blocking practice
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jon Kibler wrote:
> Steve Bertrand wrote:
>> Jon Kibler wrote:
>>> To answer that question, I would start with ingress and egress filtering by IP
>>> address, protocol, etc.:
>>>    1) Never allow traffic to egress any subnet unless its source IP address is
>>> within that subnet range.
>> Sorry to nit, but shouldn't your uRPF setup take care of this (and many
>> other of your list items), long before ACL?
> 
>> It's absolutely great if you have your list implemented, but imho, all
>> ISP's, no matter how small should investigate and implement urpf. It's
>> especially fun to play with RTBH.
> 
>> To be honest, the smaller you are, the easier it is to implement (ie.
>> urpf strict everywhere!  :)
> 
>> Steve
> 
> 
> Agree for the most part. However:
> 
> 1) The overwhelming majority of routers I have audited do not have uRPF
> implemented and most admins do not comprehend it, but they do comprehend
> (usually) ACLs.

Fair enough. However, a considerable portion of my PE and CE gear
consists of 2691's in which uRPF is enabled, so I'd have to wonder which
hardware doesn't support it. Even my routers running FreeBSD/Quagga have
it enabled.

Aside from that, I truly did mean kudos for the poster for at least
putting in the effort for configuring such an elaborate ACL setup :)

As for the admins not comprehending it, imho, if someone is in a
position of operating an Internet Provider network, particularly one
that utilizes BGP, they need to comprehend it, if even just for the
respect of the community. IIRC, it was about two weeks after I read
Kumari's initial draft that I had it not only understood, but implemented.

Even given the small scale that I am at, it really sucks when you see
BOGON/your own prefixes ingress to your network. What's more upsetting,
is when you have made more than one request to an upstream to stop it,
and you get no response...at all.

> 2) L3 switching does not always support it, leaving potential for abuse if the
> network has any donut holes.

I didn't think of that angle. My experience with L3 switching is very
limited. My understanding is though that most ops use L3 switching
closer to the core (as opposed to the edge), where uRPF isn't needed
anyhow.

> 3) uRPF works best on egress but does little on outside ingress (e.g., bogons).

Unless you have implemented an automated s/RT(BH|sink). Cymru bogons
(learnt via peering) on a trigger box, pushed in through a route-map
tagged with the null-route community to the PE. Works magic.

> 4) Defense in depth dictates using more than one way to detect an attack, so use
> both ACLs and uRPF.

I completely agree. Useful not only as depth, but to patch the holes
where one can't implement strict uRPF due to a client having multiple
peer-points within your network.

Cheers,

Steve

• Previous message (by thread): ISP port blocking practice
• Next message (by thread): ISP port blocking practice
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]