Re: Cisco says attacks are due to operational practices

[Daniel Senie <dts () senie com>]

Sean Donelan wrote:
> On Thu, 10 February 2000, Paul Ferguson wrote:
> > Excuse me, but can you please tell me what "application" a downstream
> > customer might be running which originates packets for traffic with
> > source addresses which they are not advertising (or you are advertising
> > for them)?
>
> The usual example given is Hughes DirectPC, which sends packets with
> a source address of the satellite link via a dialup ISP connection.

This is the same concept used in the original Mobile IP designs. They
expected the Internet would only ever look at destination IP address
when forwarding packets. When we wrote RFC 2267, this issue was raised.
As a result, Mobile IP folks had to look at tunneling the return
traffic.

The right answer for DirectPC is the same. Tunnel the traffic so that
it's on valid IP addresses. Using inappropriate source IP addresses for
the network you're on is just not going to fly. We have the technology
to deal with it.

In the multihomed case, the upstream providers should be made aware,
either via a BGP advertisement or telephone call or whatever. Blindly
allowing all traffic from a multihomed customer isn't likely to be a
good plan in the long run.

-- 
-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.            http://www.amaranthnetworks.com