nanog mailing list archives
Re: OpenNTPProject.org
From: Saku Ytti <saku () ytti fi>
Date: Tue, 14 Jan 2014 19:05:13 +0200
On (2014-01-14 08:35 -0800), Damian Menscher wrote:
I see this as a form of BCP38, but imposed on networks by their transit providers, rather than done voluntarily. It would be great if it could work, but I have doubts due to asymmetric routing announcements intended for traffic shaping.
Yes, I should have specified 'BCP38 in access networks' as being completely unrealistic. (We do BCP38 on all ports and verify programmatically, but I know it's not at all practical solution globally for access). ACL in transit port is completely harmless, no announcements are needed for traffic to be accepted. There are very modest amount of transit ports globally and each port will create segmentation to the spoofing domains having immediate, significant effect on benefits of spoofed attacks. RPF obviously is non-starter for reasons you stated.
I'd expect that to take 20 years or more. Even if new standards are defined, the old servers will only be removed when they physically fail.
It would have to be carried over UDP initially and that support probably would have to live for 20 years. But new-l4-over-udp version could be deployable rapidly. I'm very optimistic that if we'd have useful L4 for DNS, significant portion of relevant DNS servers could be upgraded rapidly to support it. We may be able to use existing data for this, how many servers went from DNS source port to random source port to add entropy to reduce poisoning attack chance? Good portion of end users are running w7, w8, osx updating itself automatically, so end-user support could come automatically and not require action from users. phones, tablets etc have short upgrade cycles anyhow. Native-udp port could then be policed heavily, making reflected attacks pay-off poor and motivates rest of the users to take actions needed for new l4.
My crazy proposal: get international agreement that sending spoofed packets
Agreed, crazy. -- ++ytti
Current thread:
- OpenNTPProject.org Jared Mauch (Jan 13)
- Re: OpenNTPProject.org Tony Finch (Jan 14)
- <Possible follow-ups>
- Re: OpenNTPProject.org Derek Andrew (Jan 13)
- Re: OpenNTPProject.org Bjoern A. Zeeb (Jan 13)
- Re: OpenNTPProject.org Saku Ytti (Jan 13)
- Re: OpenNTPProject.org Paul Ferguson (Jan 14)
- Re: OpenNTPProject.org Pierre Lamy (Jan 16)
- Re: OpenNTPProject.org Mark Andrews (Jan 16)
- Re: OpenNTPProject.org Bjoern A. Zeeb (Jan 13)
- Re: OpenNTPProject.org Damian Menscher (Jan 14)
- Re: OpenNTPProject.org Saku Ytti (Jan 14)
- Re: OpenNTPProject.org Dobbins, Roland (Jan 16)
- Re: OpenNTPProject.org Saku Ytti (Jan 16)
- Re: OpenNTPProject.org Dobbins, Roland (Jan 16)
- Re: OpenNTPProject.org Nicolai (Jan 15)
- "trivial" changes to DNS (was: OpenNTPProject.org) Andrew Sullivan (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Christopher Morrow (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Andrew Sullivan (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Christopher Morrow (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Andrew Sullivan (Jan 16)
- Re: "trivial" changes to DNS (was: OpenNTPProject.org) Cb B (Jan 16)