Re: BCP38 - Internet Death Penalty

[William Herrin <bill () herrin us>]

On Tue, Mar 26, 2013 at 4:09 PM, Jay Ashworth <jra () baylink com> wrote:
> > From: "William Herrin" <bill () herrin us>
> > 1. The general IDP does not apply to stub networks which do not speak
> > BGP. It is for those stubs' ISPs to determine how they'll handle
> > mis-sourced traffic they receive from those networks.
>
> So, here, you mean customers of such as "Road Runner Business", who
> have an office full of workstations and maybe some servers.

Correct.


> The goal, unless I badly misunderstood it, was to *drop forged traffic
> coming from this sort of source (assuming you generalize "my PC at
> home on a cablemodem" as the limiting example of this class, which I
> do).

Indeed. But it isn't achievable. $Random_SOHO will continue to be
hacked on a regular basis. He doesn't have someone working for him
with the skill to prevent it. Further victimizing him with a game of
whack-a-mole helps nobody.

Besides, his failings aren't important to us. What's important to us
is that his failings don't impact us. We achieve that by insisting
that his ISP not leak his forged packets on to the public Internet. It
would be nice if his ISP didn't accept the forged packets at all, but
that's really not our problem and we don't need to make it our
business.


> > 2. A BGP origin-only network is required to secure its BGP-speaking
> > borders against source address spoofing. It may also secure spoofing
> > from downstream networks (and in fact it SHOULD do so) but it avoids
> > the IDP so long as its BGP-speaking borders are secured.
>
> This is the next size up of edge network; a buyer of transit.
>
> This item does no good; you're expecting *the potential bad actor*
> *not to act badly*.

At last count there are fewer than 45,000 such systems worldwide, not
millions upon millions like in group 1. This is a manageable number of
potential bad actors to whom the IDP would apply.

Also, we're not looking to catch bad actors here. We're looking to
catch sloppy actors. We catch bad actors at step 3 by spanking their
upstream transit ISPs for failing to prevent source spoofing.


> > 3. A BGP transit network is required to secure all components of its
> > network against source address spoofing, including all non-BGP stub
> > customers and all origin-only BGP customers. It is not expected to
> > prevent spoofed packets from arriving from neighboring transit BGP
> > networks.
>
> *This* is Road Runner.  Also Comcast, Mindspring, and the other Top 40
> eyeball networks.  It is also, of course, larger carriers who sell access
> in addition to more traditional transit and possibly peering.

Correct.


> AFAICT, this is the spot where source-address-spoofing needs to be
> *enforced*;

Unfortunately, it's also the spot where system complexity reaches a
point where as a purely technical matter, source address filtering
isn't always possible. You can filter your customers based on the
routes they say they plan send you and you can filter your own
internal networks based on the addresses you assign but filtering your
peers for falsely sourced packets can be as intractable as filtering
your upstream for falsely sourced packets.

Hence the additional expectations...

> > It is also expected to promptly assist (24/7/365) with trace requests
> > from any individual presenting legitimate credentials as the assignee
> > of a particular source address and presenting with reasonable evidence
> > that packets with a spoofed address cross a specifically identified
> > system owned by the transit network. Where the packet stream
> > continues, these trace requests must promptly result in identification
> > of the actual source of the packet (if within the transit network's
> > system) or the identification of the neighboring system, the specific
> > entry point and high-level contacts within the neighbor system capable
> > of continuing the trace.


> > 4. Applying the IDP _does not_ mean you cut off the network. That'll
> > piss of your customers as much or more than it pisses off theirs. The
> > position is untenable. Instead, the IDP consists of redirecting the
> > offender's public presence web sites to a web site which proclaims the
> > IDP, lists the causes of the IDP and lists the actions required to
> > lift the IDP.
>
> Unless I misunderstand you there, you're suggesting that inbound HTTP to
> public websites *operated by the spoofing entity* should be redirected
> to a site that shames them?  Yeah, that will piss them off less... :-)

I don't care about about pissing them off. I care about pissing off my
customers. My customers will be pissed off if they can't reach their
customers and suppliers. Who will often be hosted by the target of the
IDP. But will much more rarely be the target of the IDP.



> > To ask the CEOs to authorize cutting off access to a competitor's web
> > site with the full support and approval of a group of recognized
> > Internet luminaries?
>
> The problem with that sub-approach is that luminaries (of the scale that
> everyone will automatically listen to them), as Jon Postel has said, do
> not scale.

Which is A-OK because if we're applying more than 1 or 2 IDPs in a
year to folks who weren't intentionally bad actors then we're doing it
wrong. It shouldn't ever "scale."



-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004