nanog mailing list archives

RE: no ip forged-source-address

From: "Tony Hain" <alh-ietf () tndh net>
Date: Wed, 30 Oct 2002 09:29:10 -0800


To reiterate the comment I made during the session yesterday, the places
where strict rpf will be most effective are at the very edge interfaces
without explicit management (SOHO). This also tends to be the place
where there is insufficient clue to turn it on. One hopes that in the
nanog community there is sufficient clue to recognize the case where
having it on will create a problem and turn it off.

This has been a case where money has been talking, and those with enough
clue to comment on it are saying they don't want it, while those that
really need it are not asking. If the community believes this technique
is the best tool for regaining visibility into where attacks are coming
from, there are two explicit steps to making it happen. First, demand
that all vendors make it the default. Second, be willing to turn it off
rather than simply complain that it doesn't work in the ISP network. 

Tony

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of variable () ednet co uk
Sent: Wednesday, October 30, 2002 8:21 AM
To: nanog () nanog org
Subject: Re: no ip forged-source-address



On Wed, 30 Oct 2002, Daniel Senie wrote:

BCP 38 is quite explicit in the need for all networks to do their 
part. The
document is quite effective provided there's cooperation.


Doesn't seem to be working.

Which interface would you filter on?


Customer ingress ports on the ISP side, which I suspect are 
the majority of ports in ISP networks.  Hopefully engineers 
on the backbone will be clueful enough to turn it off.

If we're talking about a router at the customer premesis,

the filters

should be on the link to the ISP (the customer may well have more 
subnets internally). At the ISP end, doing the filtering

you suggest

would not work, since it'd permit only the IP addresses of the link 
between the customer and user.


The routing table of the router should be used to build up a list of 
prefixes that you should see through the interface.  In this way, you 
could apply it to BGP customers too without having to create 
filters by 
hand.

Regards,


Rich

Current thread:

Re: no ip forged-source-address, (continued)
- Re: no ip forged-source-address Hank Nussbacher (Oct 30)
  - Re: no ip forged-source-address Barney Wolff (Oct 30)
  - Re: no ip forged-source-address Craig A. Huegen (Oct 30)
    - Re: no ip forged-source-address Jared Mauch (Oct 30)
  - Re: no ip forged-source-address Petri Helenius (Oct 30)
    - RE: no ip forged-source-address Tony Hain (Oct 30)
  - Re: no ip forged-source-address Jim Forster (Oct 30)
- Message not available
  - Re: no ip forged-source-address Daniel Senie (Oct 30)
- Re: no ip forged-source-address Daniel Senie (Oct 30)
  - Re: no ip forged-source-address variable () ednet co uk (Oct 30)
    - RE: no ip forged-source-address Tony Hain (Oct 30)
    - RE: no ip forged-source-address Daniel Senie (Oct 30)
  - Re: no ip forged-source-address Michael Lamoureux (Oct 30)
    - Re: no ip forged-source-address Daniel Senie (Oct 30)
    - Re: no ip forged-source-address Christopher L. Morrow (Oct 30)
- RE: no ip forged-source-address H. Michael Smith, Jr. (Oct 30)
  - RE: no ip forged-source-address Christopher L. Morrow (Oct 30)
    - Re: no ip forged-source-address Valdis . Kletnieks (Oct 30)
    - Re: no ip forged-source-address Christopher L. Morrow (Oct 30)
    - RE: no ip forged-source-address Charles D Hammonds (Oct 30)
    - RE: no ip forged-source-address Christopher L. Morrow (Oct 30)

(Thread continues...)