nanog mailing list archives
Re: BCP38 making it work, solving problems
From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Tue, 12 Oct 2004 21:53:51 -0500 (CDT)
From owner-nanog () merit edu Tue Oct 12 20:41:45 2004 Date: Wed, 13 Oct 2004 07:09:10 +0530 From: Suresh Ramasubramanian <suresh () outblaze com> To: alex () yuriev com Cc: Steven Champeon <schampeo () hesketh com>, nanog () merit edu Subject: Re: BCP38 making it work, solving problems alex () yuriev com [12/10/04 13:16 -0400]:If I, and my little 7-man company, can afford to have me solve the problem on our end, why the heck can't you do the same?You can do it because you are a 7-man company. So can I. However, companies the size of Sprint cannot do it.Most filtering that I've seen (email, router, whatever) that just works great for a 7 man company will not work when you serve several million users, that's a fact.
Certain _basics_ *are* applicable, regardless of scale. e.g. perimeter filtering of inbound packets w/ RFC-1918 a _source_ address, except for specific ICMP status/response messages. e.g. perimeter filtering of inbound packets with a _source_ address that is in *your* assigned address-space. Some medium-big (and up) operators implement 'RFC-1918 source' filters on their gateways to the 'external internet', but *not* on their customer interfaces. Which means that one of their customers can be attacked via such means, by *another* of their customers. And, after the fact, they can't even tell =which= of their customers done the deed. Similarly, one customer can 'spoof' another customer of that same provider.
One false positive report per week from 7 users. How many per week - or per day - when you have 40 million users, is a question that gets answered real fast. A lot of the bad filtering (or lack of filtering, for that matter) decisions I've seen at large network providers and ISPs is generally where they are also unresponsive to their users and to the internet community that reports stuff to them (quite a few places I could name where most role accounts seem to funnel straight to /dev/null) srs
Current thread:
- Re: aggregation & table entries, (continued)
- Re: aggregation & table entries Paul Vixie (Oct 15)
- Re: aggregation & table entries Christopher L. Morrow (Oct 15)
- Re: BCP38 making it work, solving problems Fergie (Paul Ferguson) (Oct 10)
- Re: BCP38 making it work, solving problems Joe Maimon (Oct 11)
- Re: BCP38 making it work, solving problems Fred Baker (Oct 11)
- Re: BCP38 making it work, solving problems Iljitsch van Beijnum (Oct 13)
- Re: BCP38 making it work, solving problems Fred Baker (Oct 13)
- Re: BCP38 making it work, solving problems Michael . Dillon (Oct 14)
- Re: BCP38 making it work, solving problems bmanning (Oct 14)
- Re: BCP38 making it work, solving problems Iljitsch van Beijnum (Oct 14)
- Re: BCP38 making it work, solving problems Iljitsch van Beijnum (Oct 13)
- Re: BCP38 making it work, solving problems Paul Vixie (Oct 13)
- Re: BCP38 making it work, solving problems Randy Bush (Oct 19)
- Re: BCP38 making it work, solving problems JP Velders (Oct 20)