Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS)

[Sean Donelan <sean () donelan com>]

On Sun, 7 Mar 2004, E.B. Dreger wrote:
> If SAV were universal (ha ha ha!), one could discount spoofed
> traffic when analyzing flows.  But, hey, why bother playing nice
> and helping other networks, eh?

SAV doesn't tell you where the packets came from.  At best SAV tells you
where the packets didn't come from.

> Am I the only one who's had IWFs -- even legitimate entities --
> complain about packets "from your network" that weren't?  It
> certainly would have been nice if $other_networks had used SAV.

You still need to spend the same amount of time tracing the flows because
you can't tell from the packet itself if something went wrong with SAV.
Even if everyone said they did SAV (and meant it), things like uRPF rely
on a number of things to work correctly.  If any of those break or aren't
secure, you still can't rely on the source address being accurate.

Even if you deployed SAV/uRPF on 100% of your network, you probably
wouldn't want to tell people about it due to the idiots with firewalls.

> SAV doesn't take long to implement.  Considering the time spent
> discounting spoofing when responding to incidents, I think there
> would be a _net_ savings (no pun intended) in time spent
> responding to incidents.

You would be wrong.  There are networks that have deployed SAV/uRPF.

They saw no _net_ savings.

In the real world, it costs more to deploy and maintain SAV/uRPF.

Have you noticed this thread is full of people who don't run large
networks saying other people who do run networks should deploy SAV/uRPF.

But there hasn't been anyone who does run large networks saying they
deployed SAV/uRPF and it saved them money, made their network run better
or improved the world?