Re: BCP38 - Internet Death Penalty

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "William Herrin" <bill () herrin us>

> > So, here, you mean customers of such as "Road Runner Business", who
> > have an office full of workstations and maybe some servers.
>
> Correct.
>
> > The goal, unless I badly misunderstood it, was to *drop forged traffic
> > coming from this sort of source (assuming you generalize "my PC at
> > home on a cablemodem" as the limiting example of this class, which I
> > do).
>
> Indeed. But it isn't achievable. $Random_SOHO will continue to be
> hacked on a regular basis. He doesn't have someone working for him
> with the skill to prevent it. Further victimizing him with a game of
> whack-a-mole helps nobody.
>
> Besides, his failings aren't important to us. What's important to us
> is that his failings don't impact us. We achieve that by insisting
> that his ISP not leak his forged packets on to the public Internet. It
> would be nice if his ISP didn't accept the forged packets at all, but
> that's really not our problem and we don't need to make it our
> business.

It's possible I badly misunderstand how things like unicast-rpf work,
Bill.  I run much tinier networks than most people here.

But what I *do* understand of it is: you have to run it *at the edge
concentrator*, cause that's the only device which knows which packets to
accept... since *it assigned the address for the link*.

When I say "drop forged traffic coming from...", *who I mean is 'his ISP'*,
as you suggest in the next graf.  I don't see that there's anyway to *know*
packets have a forged address anywhere north of the edge of the lowest tier
IAP the connection is served from.

Did I miss something?  Or was I simply unclear?

> > > 2. A BGP origin-only network is required to secure its BGP-speaking
> > > borders against source address spoofing. It may also secure
> > > spoofing
> > > from downstream networks (and in fact it SHOULD do so) but it
> > > avoids
> > > the IDP so long as its BGP-speaking borders are secured.
> >
> > This is the next size up of edge network; a buyer of transit.
> >
> > This item does no good; you're expecting *the potential bad actor*
> > *not to act badly*.
>
> At last count there are fewer than 45,000 such systems worldwide, not
> millions upon millions like in group 1. This is a manageable number of
> potential bad actors to whom the IDP would apply.

Yes.  These are the people to whom edge nodes and private non-BGP nets
speak; the tier 3 4 and 5 network providers who run edge concentrators
and assign addresses.

> Also, we're not looking to catch bad actors here. We're looking to
> catch sloppy actors. We catch bad actors at step 3 by spanking their
> upstream transit ISPs for failing to prevent source spoofing.

...which you would detect ... how?  *Those* aggregator networks have 
no contractual reason to know what's a valid address coming to them,
unlike the networks to which end sites attach directly.


> > *This* is Road Runner. Also Comcast, Mindspring, and the other Top 40
> > eyeball networks. It is also, of course, larger carriers who sell access
> > in addition to more traditional transit and possibly peering.
>
> Correct.
>
> > AFAICT, this is the spot where source-address-spoofing needs to be
> > *enforced*;
>
> Unfortunately, it's also the spot where system complexity reaches a
> point where as a purely technical matter, source address filtering
> isn't always possible. You can filter your customers based on the
> routes they say they plan send you and you can filter your own
> internal networks based on the addresses you assign but filtering your
> peers for falsely sourced packets can be as intractable as filtering
> your upstream for falsely sourced packets.

I don't believe that's what I said.

Filtering based on routes doesn't help; that's *destination address*, not
source, no?

Yes, filtering your peers, or even transit customers, is effectively
impossible; it has to be done where addresses are handed out.

> > > 4. Applying the IDP _does not_ mean you cut off the network.
> > > That'll
> > > piss of your customers as much or more than it pisses off theirs.
> > > The
> > > position is untenable. Instead, the IDP consists of redirecting the
> > > offender's public presence web sites to a web site which proclaims
> > > the
> > > IDP, lists the causes of the IDP and lists the actions required to
> > > lift the IDP.
> >
> > Unless I misunderstand you there, you're suggesting that inbound
> > HTTP to
> > public websites *operated by the spoofing entity* should be
> > redirected
> > to a site that shames them? Yeah, that will piss them off less...
> > :-)
>
> I don't care about about pissing them off. I care about pissing off my
> customers. My customers will be pissed off if they can't reach their
> customers and suppliers. Who will often be hosted by the target of the
> IDP. But will much more rarely be the target of the IDP.

Ok; I apologies; I have laid the bike down in the sandy corner at
this point.  Huh?

> > > To ask the CEOs to authorize cutting off access to a competitor's web
> > > site with the full support and approval of a group of recognized
> > > Internet luminaries?
> >
> > The problem with that sub-approach is that luminaries (of the scale that
> > everyone will automatically listen to them), as Jon Postel has said, do
> > not scale.
>
> Which is A-OK because if we're applying more than 1 or 2 IDPs in a
> year to folks who weren't intentionally bad actors then we're doing it
> wrong. It shouldn't ever "scale."

Yes, but you can't measure such a panel on output, you have to measure
it on *input*, no?

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274