nanog mailing list archives
Re: BCP38.info
From: "Nick Olsen" <nick () flhsi com>
Date: Tue, 28 Jan 2014 16:07:16 -0500
While I see what you're saying. It's still not "Spoofed". The device in question receives the request. And then generates a response with the src address of the egress interface of the device dst to the IP and port that requested it... In this case. The GRE tunnel. Unless I'm missing something here about replying to a request only on the interface which it ingressed the device. And the fact that it's UDP. not TCP. So it's fire-and-forget. Thus, Nothing was ever spoofed. It just simply was returned from a different interface of the same device. From our point of view. We saw the packet of DNS-SRC>OurCustomer. And the other ISP, Which transported the reply. only saw Customer-SRC>DNS-DST. Obviously, This only works because it's UDP. And TCP would be broken. Nick Olsen Network Operations (855) FLSPEED x106 ---------------------------------------- From: "Jared Mauch" <jared () puck nether net> Sent: Tuesday, January 28, 2014 3:04 PM To: nick () flhsi com Cc: "David Miller" <dmiller () tiggee com>, Valdis.Kletnieks () vt edu, "NANOG" <nanog () nanog org> Subject: Re: BCP38.info On Jan 28, 2014, at 2:57 PM, Nick Olsen <nick () flhsi com> wrote:
Agreed. Our's listed for AS36295 are two customers, Which I know for a fact have
their default route set out of a GRE tunnel interface. So while we hand them the request to their interface IP we've assigned them. The response is actually sent, And transported via the customers GRE Tunnel, And HQ's Dedicated internet access where their tunneling to. Making it appear that the reply has been spoofed. When in reality. it was just silent transported to another area before being sent to the src. Sure, but this means that network is allowing the spoofing :) What I did last night was automated comparing the source ASN to the dest ASN mapped to and reported both the IP + ASN on a single line for those that were interested. I'm seeing a lot of other email related to BCP-38 right now on another list, but I wanted to share some data (again) in public regarding the state of network spoofing out there. I'd rather share some data and how others can observe this to determine how we can approach a fix. Someone spoofing your IP address out some other carrier is something you may be interested to know about, even if you have a non-spoofing network. - jared
Current thread:
- Re: BCP38.info, (continued)
- Re: BCP38.info TGLASSEY (Jan 28)
- Re: BCP38.info Valdis . Kletnieks (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info David Miller (Jan 28)
- Re: BCP38.info Stephen Frost (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Andrei Robachevsky (Jan 29)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Mark Andrews (Jan 28)
- Re: BCP38.info Andrei Robachevsky (Jan 29)
- Re: BCP38.info TGLASSEY (Jan 28)