nanog mailing list archives
Re: router worms and International Infrastructure
From: Pekka Savola <pekkas () netcore fi>
Date: Thu, 22 Sep 2005 08:39:23 +0300 (EEST)
On Wed, 21 Sep 2005, Christopher L. Morrow wrote:
On Wed, 21 Sep 2005, Pekka Savola wrote:Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your friend, even on multihomed/asymmetric links.So, say I'm a large consumer broadband ISP, and I made the decision some years ago to use net-10 as my infrastructure space? How does 'feasible path' help block 10.x.x.x sources exactly?
Sorry, I don't understand the context to see the problem.If you use 10.x.x.x internally in your backbone, you're fine because that cruft shouldn't be coming at your direction from the customers.
If you also use 10.x.x.x to assign addresses to the CPE boxes (which is what I think you're saying), the customer can only spoof one /30 from 10/8 (or whatever has been assigned on the CPE and/or the point-to-point link).
You may also consider using uRPF at the CPE box to disallow the customer from spoofing anything in that infrastructure space (particularly the /30).
At your borders (upstream/peers), you will naturally block all of 10/8 at egress.
While uRPF might or might not be sufficient to protect *your* infrastructure from worms (if the customer happens to spoof "just the right way"), it should be useful in preventing spoofing affecting others' infrastructure.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Current thread:
- Re: router worms and International Infrastructure, (continued)
- Re: router worms and International Infrastructure Gadi Evron (Sep 19)
- Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 20)
- Re: router worms and International Infrastructure Gadi Evron (Sep 20)
- Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 20)
- Re: router worms and International Infrastructure Michael . Dillon (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Matthew Crocker (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Florian Weimer (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)