nanog mailing list archives
Re: [c-nsp] DNS amplification
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Mon, 18 Mar 2013 14:47:14 +0900
Mark Andrews wrote:
Yes, BCP38 is the solution.It is not a solution at all, because it, instead, will promote multihomed sites bloats the global routing table.How does enforcing that source address entering your net from customers sites match thoses that have been allocated to them bloat the routing table?
First of all, multihomed sites with its own global routing table entries bloats the global routing table, which is the major cause of global routing table bloat and is not acceptable. Then, the only solution is to let the multihomed sites have multiple prefixes, each of which is aggregated by each provider. But, then, all the end systems are required to choose the proper source addresses corresponding to destination addresses, which requires IGPs carry such information. See draft-ohta-e2e-multihoming-05 for details.
Now if you only accept address you have allocated to them by you then that could bloat the routing table but BCP 38 does NOT say to do that. Simlarly URP checking is not BCP 38.
That BCP 38 is narrowly scoped is not my problem.
With SIDR each multi-homed customer could provide CERTs which proves they have been allocated a address range which could be feed into the acl generators as exceptions to the default rules. This is in theory automatible.
The problem is not in individual ISPs but in the global routing table size.
How does that solve the problem?
In the end to end fashion. See draft-ohta-e2e-multihoming-05 for details. Masataka Ohta
Current thread:
- Re: [c-nsp] DNS amplification, (continued)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Jared Mauch (Mar 18)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Jon Lewis (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Damian Menscher (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Mark Andrews (Mar 17)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 17)
- Re: [c-nsp] DNS amplification Dobbins, Roland (Mar 17)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 18)
- Re: [c-nsp] DNS amplification Dobbins, Roland (Mar 18)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 18)
- Re: [c-nsp] DNS amplification Aled Morris (Mar 19)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 19)
- Re: [c-nsp] DNS amplification David Conrad (Mar 19)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 19)
- Re: [c-nsp] DNS amplification Jared Mauch (Mar 19)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 19)