[c-nsp] DNS amplification

• Previous message (by thread): [c-nsp] DNS amplification
• Next message (by thread): [c-nsp] DNS amplification
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <51469FAE.7030102 at necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Arturo Servin wrote:
> 
> > 	Yes, BCP38 is the solution.
> 
> It is not a solution at all, because it, instead, will promote
> multihomed sites bloats the global routing table.

How does enforcing that source address entering your net from
customers sites match thoses that have been allocated to them
bloat the routing table?

Now if you only accept address you have allocated to them by you
then that could bloat the routing table but BCP 38 does NOT say to
do that.  Simlarly URP checking is not BCP 38.

With SIDR each multi-homed customer could provide CERTs which proves
they have been allocated a address range which could be feed into
the acl generators as exceptions to the default rules.  This is in
theory automatible.

> To really solve the problem in an end to end fashion, it is
> necessary to require IGPs carry information for the proper
> source address corresponding to each routing table entry in a
> *FULL* routing table, which must be delivered to almost, if
> not all, all the end systems.

How does that solve the problem?

> 						Masataka Ohta
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): [c-nsp] DNS amplification
• Next message (by thread): [c-nsp] DNS amplification
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]