Why won't providers source-filter attacks? Simple.

• Previous message (by thread): Why won't providers source-filter attacks? Simple.
• Next message (by thread): Why won't providers source-filter attacks? Simple.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 5, 2014 at 2:46 AM, Saku Ytti <saku at ytti.fi> wrote:

>
> If we keep thinking this problem as last-mile port problem, it won't be
> solved

in next 20 years. Because lot of those ports really can't do RPF and even
> if

[snip]


The last-mile ports don't necessarily need RPF; a simple inbound access
list on the ISP side.......  Or even outbound on CPE side, with all valid
source addresses allowed,  and nothing else:  is just perfect.

In essence; it is a last-mile problem, and that is part of  the challenge.
 The last-mile is the best possible place to filter, without breaking
things.     As for the idea, that the world can take a shortcut,  and
 filter in some manner at transit services is tantalizing, but also: is not
quite adequate,  and that's probably not going to happen either.


> [snip]
>
However transit border doing ACL is something that seems to very
> controversial, there is no universal consensus that it even should be


Anything that is likely to blackhole legitimate traffic is going to be
controversial.

IP source based filtering on transit links may very well fall into that
category of greatly increasing that risk in many cases.

   Restricting the source IP address range in from transit links is a bad
idea, unless you can be certain that no other source IPs will show up
legitimately,   which you cannot necessarily be.

  If i am a transit provider,  and I connect with a peer network buying
transit from me,  then they get to route traffic over that link: according
to the routes my network announced to their router.

If my router discards any of that traffic based on source,  then the route
I propagated to my peer was dishonest ---  that is,   it would mean my
route announcement was a lie: the filtering would in essence make some
routes blackhole routes, and I am disrupting the connectivity for the
unexpected source addresses,  just by turning up that link.

Or I am at risk of disrupting connectivity in the future, to any network
that my downstream peer later interconnects with,  if they will also
provide transit in that relationship,  and also... it would be a common
practice on many networks to  turn up such interconnections  at a date
before  I or  any other transit upstreams are informed.

It is likely from time to time, that many transit downstreams will  obtain
additional address allocations, or  that they will make additional network
connections:  especially, if in fact,  my downstream peer is multihomed,
possibly with numerous providers,  and they may themselves be a transit
provider.

At a certain level;   "RPF"   does not work,   because:  by design,
routing IN and OUT can very well be asymmetric  traffic flows for networks
 that are multihomed.

Not announcing the source  to a specific network,  doesn't make it OKAY for
the adjacent transit network to drop traffic from that source.



> done and
> quite few seem to do it. I feel we need to change this, and make community
> at
> large agree it is the BCP and solve the challenges presented.
>

--
-JH

• Previous message (by thread): Why won't providers source-filter attacks? Simple.
• Next message (by thread): Why won't providers source-filter attacks? Simple.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]