Nick Olsen nick at flhsi.com
Tue Jan 28 21:07:16 UTC 2014

While I see what you're saying. It's still not "Spoofed".

The device in question receives the request. And then generates a response 
with the src address of the egress interface of the device dst to the IP 
and port that requested it... In this case. The GRE tunnel. Unless I'm 
missing something here about replying to a request only on the interface 
which it ingressed the device. And the fact that it's UDP. not TCP. So it's 

Thus, Nothing was ever spoofed. It just simply was returned from a 
different interface of the same device. From our point of view. We saw the 
packet of DNS-SRC>OurCustomer. And the other ISP, Which transported the 
reply. only saw Customer-SRC>DNS-DST.

Obviously, This only works because it's UDP. And TCP would be broken.

Nick Olsen
 Network Operations 
(855) FLSPEED  x106

From: "Jared Mauch" <jared at puck.nether.net>
Sent: Tuesday, January 28, 2014 3:04 PM
To: nick at flhsi.com
Cc: "David Miller" <dmiller at tiggee.com>, Valdis.Kletnieks at vt.edu, "NANOG" 
<nanog at nanog.org>
Subject: Re: BCP38.info

On Jan 28, 2014, at 2:57 PM, Nick Olsen <nick at flhsi.com> wrote:

> Agreed.
> Our's listed for AS36295 are two customers, Which I know for a fact have 
their default route set out of a GRE tunnel interface. So while we hand 
them the request to their interface IP we've assigned them. The response is 
actually sent, And transported via the customers GRE Tunnel, And HQ's 
Dedicated internet access where their tunneling to. Making it appear that 
the reply has been spoofed. When in reality. it was just silent transported 
to another area before being sent to the src. 

Sure, but this means that network is allowing the spoofing :)

What I did last night was automated comparing the source ASN to the dest 
ASN mapped to and reported both the IP + ASN on a single line for those 
that were interested.

I'm seeing a lot of other email related to BCP-38 right now on another 
list, but I wanted to share some data (again) in public regarding the state 
of network spoofing out there.

I'd rather share some data and how others can observe this to determine how 
we can approach a fix.  Someone spoofing your IP address out some other 
carrier is something you may be interested to know about, even if you have 
a non-spoofing network.

- jared

More information about the NANOG mailing list