nanog mailing list archives
Re: dsl providers that will route /24
From: Adrian Chadd <adrian () creative net au>
Date: Thu, 29 Mar 2001 19:18:36 +0800
On Wed, Mar 28, 2001, David Schwartz wrote:
No, no, no. You are erring on the side of openness, rather than on the side of security.Exactly! And that's the crux of the issue here. We are not talking about a firewall. We are not talking about a military installation. We are talking about our customers, and we should be taking an 'innocent until proven guilty' approach with them whenever it is reasonably possible to do so.
.. on todays internet? Right. You've never been hit by a DoS. That you can't trace. My cable modem provider filters. Good on them. It means that when I set up my tunnel for my "portable /24", I had to think hard for 5 minutes to convince FreeBSD's ipfw that it wanted to stuff all packets from my /24 out the tunnel, rather than just defaulting. <irony> It was really hard. Really. </irony>
What I also oppose is advocacy of filtering that claims that filtering fixes the problem. It doesn't, it just minimizes the damage. Hiding the fact that a misconfigured firewall is leaking packets with inside IPs or the fact that a machine has been root compromised (or worse, that the actual admin likes to launch DoS attacks) ultimately harms everyone.
The internet is misconfigured. The internet is designed around a trusted non-authenticated layer 3, and this layer can be used for good *AND* evil. Now if only responsible people were allowed on said internet, then the lack of protection wouldn't be an issue. Do you remember the Great SMTP Relay Closing a few years ago? The relays were open, until people started using them for increasing amounts of spam. Now, us Responsible People(tm) knew that open relays were great for when you were roaming or your outgoing relay was broken, but now ..?
Another problem with the belief that ingress source address filtering is the ultimate solution to the problem of spoofed packets is that it makes it too easy to ignore the fact that there really is a problem. After all, if filtering solves the problem perfectly, there's no need to work on a solution, all you have to do is militantly insist that everyone filter. On the other hand, if there's a general understanding that filtering is only one possible solution that has problems of its own, perhaps they'll continue to work on much better solutions.
Enforce filtering, or replace the internet infrastructure with something better? Guess whats a better choice technically, guess whats got a better choice of happening[0] ? Adrian [0] With the attitude people have for filtering, I guess neither. ;-) -- Adrian Chadd "The fact you can download a 100 megabyte file <adrian () creative net au> from half way around the world should be viewed as an accident and not a right." -- Adrian Chadd and Bill Fumerola
Current thread:
- RE: dsl providers that will route /24, (continued)
- RE: dsl providers that will route /24 John Fraizer (Mar 27)
- RE: dsl providers that will route /24 David Schwartz (Mar 27)
- Re: dsl providers that will route /24 Valdis . Kletnieks (Mar 27)
- RE: dsl providers that will route /24 David Schwartz (Mar 28)
- RE: dsl providers that will route /24 Tim Winders (Mar 28)
- RE: dsl providers that will route /24 David Schwartz (Mar 28)
- RE: dsl providers that will route /24 Tim Winders (Mar 28)
- RE: dsl providers that will route /24 David Schwartz (Mar 28)
- RE: dsl providers that will route /24 Tim Winders (Mar 28)
- RE: dsl providers that will route /24 Charles Sprickman (Mar 28)
- Re: dsl providers that will route /24 Adrian Chadd (Mar 29)
- RE: dsl providers that will route /24 Jason Slagle (Mar 29)
- RE: dsl providers that will route /24 David Schwartz (Mar 29)
- Re: dsl providers that will route /24 Eric A. Hall (Mar 29)
- RE: dsl providers that will route /24 David Schwartz (Mar 29)
- Re: dsl providers that will route /24 John Payne (Mar 29)
- Re: dsl providers that will route /24 Eric A. Hall (Mar 29)
- RE: dsl providers that will route /24 David Schwartz (Mar 29)
- RE: dsl providers that will route /24 Greg A. Woods (Mar 29)
- Re: dsl providers that will route /24 Scott Francis (Mar 29)
- Re: dsl providers that will route /24 Valdis . Kletnieks (Mar 29)