TWC (AS11351) blocking all NTP?

Jared Mauch jared at puck.nether.net
Tue Feb 4 16:23:36 UTC 2014


On Feb 4, 2014, at 11:04 AM, William Herrin <bill at herrin.us> wrote:

> On Sun, Feb 2, 2014 at 5:17 PM, Cb B <cb.list6 at gmail.com> wrote:
>> And, i agree bcp38 would help but that was published 14 years ago.
> 
> Howdy,
> 
> If just three of the transit-free networks rewrote their peering
> contracts such that there was a $10k per day penalty for sending
> packets with source addresses the peer should reasonably have known
> were forged, this problem would go away in a matter of weeks. Granted
> it would also be helpful to have a BGP extension signifying
> allowed-source-but-don't-route so that RP filtering would work even
> when multihomed. Still, even without automatic RP filtering we're
> capable of preventing spoofed packets if financially incentivized.
> 
> Thing is, they can't be the source of the solution until they stop
> being part of the problem.

I’ve seen similar comments in other forums.  We are all generally paid
for moving packets, not filtering them.  The speed at which you can forward
packets can often cause increased $$.  Using these features also impacts
performance, so the cost may actually be 2x in capex+opex to provision ports
due to reduced line-rate capability.  

Even if you take a RPSL-IRR approach to building filters, and even if the router
can handle such long ACLs bug-free, you have some objects that expand to
cover 50-90% of the internet. They may be someones backup route at some
point because of ‘something’.

Clearly putting the filters as close to the source is helpful but detecting the
actual spoofed packet is hard.  Take the thread from last-week about how I
can detect folks that are allowed to “spoof”, or “forward”/“rewrite” my packet
destination.  Even if it goes over GRE to somewhere, that IP should only
be sourced from *my* host.  At some point the rest of the trust comes into play
that the IP is correct.  Too many devices are generous in what they accept
and allows these types of attack surfaces to be abused.

Until you find yourself on the receiving end of these types of things, you may not
ask for or pay for DDoS protection services, or advanced filtering, or even ask
your vendor to support these features.  I have to wait months for fixes in the
features because no support from others in the industry on the platform, etc.

Those that are up in arms about this stuff seem to not be the ones asking
the vendors for features and fixes.

- Jared


More information about the NANOG mailing list