Legislative proposal sent to my Congressman

Harry Crowder hcrowder at empiricalnetworks.com
Wed Oct 5 14:15:57 UTC 2016


The term you are referencing is unicast reverse path verify strict/hard mode
Enforces that the packets source can be reached via the interface of the receiving traffic
If this is generaly applied at all provider edge routers and dsl/dialup/vpc pop's would solve the spoofing issue as a whole

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Larry Sheldon
Sent: Monday, October 3, 2016 5:36 PM
To: Stephen Satchell <list at satchell.net>; nanog at nanog.org; ietf-action at ietf.org
Cc: soc at us-cert.gov; action at eff.org
Subject: Re: Legislative proposal sent to my Congressman



On 10/3/2016 13:58, Stephen Satchell wrote:
> In thinking over the last DDos involving IoT devices, I think we don't 
> have a good technical solution to the problem.  Cutting off people 
> with defective devices they they don't understand, and have little 
> control over, is an action that makes sense, but hurts the innocent.  
> "Hey, Grandma, did you know your TV set is hurting the Internet?"
>
> It's the people who foist bad stuff on the people who need to take the 
> responsibility.  Indeed, with enough moxie, we could avoid the net 
> saturation problem in the first place.
>
> My proposal, as I sent it to my US House Representative:
>

[much snipping]


> Why not nip the IoT problem in the bud?

Why not, indeed?  (Full disclosure:  I am not and have not for some years been active in management of any networks, and I AM woefully behind the state of the arts.)

Having said that, it occurs to me that Mr. Satchell's proposal (and most of the others I have read about here and elsewhere lately) are doomed to the same failure as Chicago's plan for reducing illegal deaths by firearm, and for much the same reason (discussion of which here I will spare you.

Back in the day, I was fighting a problem that I summarized (then and
now) as trying to stop the use and abuse of the University's (that employed me) 56kb Frame Relay link to the Internet.  Then as now I defined "abuse" as the use of our facilities for purposes that no stretch of imagination or definition could be said to be to the University's benefit.

Through some experimentation I concluded that there were several clearly identifiable sources of abuse.  I disremember the ordering by severity but they included:

Outright attacks on the University and others.
Myriad "scans" for a variety of reasons.

The first of these two I remember as being the worst (in terms of item-count AND in terms of packet-size.  I also recall it being the easiest to fix, if anybody want to fix it.  (The dominant reasons  given where that it would cost money without a revenue stream, and it would reduce traffic that WAS in the revenue stream.  The fix I proposed: 
Require (by law) that every service provider and every origination customer of a service provider would under penalty of law, block the transmission of a packet whose source address could not be reached via the link upon which it was found.

The Myriad scans problem was a little harder (for among other reasons--the argument that they were good for us, even though they accounted for something like 60% of the traffic on that link).  The solution I tried but ran out of dollars on was to detect somebody scanning and route them to the Loopback interface of the boundary router.
--
"Everybody is a genius.  But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid."

--Albert Einstein

 From Larry's Cox account.



More information about the NANOG mailing list