Re: SYN floods continue

[Vadim Antonov <avg () quake net>]

Vern Paxson <vern () ee lbl gov> wrote:

> In my Internet end-to-end routing study I found that fully 50% of the pairs
> of paths through the Internet had a major asymmetry at the end of 1995.

Sure, but where the asymmetry is?  Certainly not on tail circuits
of single-homed customers :)

Moreover, multi-homed non-transit networks still announce all routes
to all places; i.e. the filtering i was talking about will still work.

It breaks on transit networks, i.e. the backbones; but people who run
backbones are presumeably clueful enough to disable the filtering on
backbone links, and leave it on on customer tail links.

> "Major" meaning: visited at least one different city in the two directions.
> (30% visited at least one different AS.)  This was a significant increase
> over the same figure for the end of 1994, 30%.  So it may be quite hard to
> make and keep Internet routing symmetric.

Routing *must* be symmetrical within IGP only networks if metrics in
different directions are symmetrical.   When the packets leave the
routing domain, that's another story.

Again, the rule is "dont accept packets from an interface if there's no
route for their source addresses pointing back to the same interface".
Note that that route does not have to be the best one -- just that the
router gets it from somewhere.

--vadim
- - - - - - - - - - - - - - - - -