nanog mailing list archives
Re: [c-nsp] DNS amplification
From: Mark Andrews <marka () isc org>
Date: Mon, 18 Mar 2013 16:22:36 +1100
In message <51469FAE.7030102 () necom830 hpcl titech ac jp>, Masataka Ohta writes:
Arturo Servin wrote:Yes, BCP38 is the solution.It is not a solution at all, because it, instead, will promote multihomed sites bloats the global routing table.
How does enforcing that source address entering your net from customers sites match thoses that have been allocated to them bloat the routing table? Now if you only accept address you have allocated to them by you then that could bloat the routing table but BCP 38 does NOT say to do that. Simlarly URP checking is not BCP 38. With SIDR each multi-homed customer could provide CERTs which proves they have been allocated a address range which could be feed into the acl generators as exceptions to the default rules. This is in theory automatible.
To really solve the problem in an end to end fashion, it is necessary to require IGPs carry information for the proper source address corresponding to each routing table entry in a *FULL* routing table, which must be delivered to almost, if not all, all the end systems.
How does that solve the problem?
Masataka Ohta
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: [c-nsp] DNS amplification, (continued)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Jared Mauch (Mar 18)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 17)
- Re: [c-nsp] DNS amplification Arturo Servin (Mar 17)
- Re: [c-nsp] DNS amplification Jon Lewis (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Damian Menscher (Mar 17)
- Re: [c-nsp] DNS amplification Jimmy Hess (Mar 17)
- Re: [c-nsp] DNS amplification Mark Andrews (Mar 17)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 17)
- Re: [c-nsp] DNS amplification Dobbins, Roland (Mar 17)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 18)
- Re: [c-nsp] DNS amplification Dobbins, Roland (Mar 18)
- Re: [c-nsp] DNS amplification Masataka Ohta (Mar 18)
- Re: [c-nsp] DNS amplification Aled Morris (Mar 19)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 19)
- Re: [c-nsp] DNS amplification David Conrad (Mar 19)
- Re: [c-nsp] DNS amplification Christopher Morrow (Mar 19)
- Re: [c-nsp] DNS amplification Jared Mauch (Mar 19)