Home page logo
/

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: Morten Reistad <mrr () norway eu net>
Date: Wed, 07 Jan 1998 10:39:59 +0100

In message <199801051756.JAA17924 () cypress nwnet net>, Tom Killalea writes:


A regular reader of your mailing list forwarded this to me :

I will also point out that many of the recent "smurf" attacks and
similar problems people are having on the net would be gone if people
would just carefully filter internal/external addresses on their
border machines, that is, prevent packets claiming to be from "inside"
networks from coming in from the "outside", and prevent packets
claiming to be from "outside" networks from going out from the
"inside". The latter will stop your network from *ever* being the
source of a wide variety of packet forgery attacks, and is necessary
to being a good network citizen. The former will stop your network
from being the subject of a wide variety fo packet forgery attacks,
and is necessary to make your customers even remotely safe on the net.

There are two chances of 'upholding the address space integrity' of
the Internet; assuming the current service model with 

Customer --> ISP ----> Internet Core

The first one is on the IGP level, where the addresses assigned inside
the network of the ISP is routed towards the customer. These addresses
should be enforced on the interface between the ISP and the customer;
and they frequently are. The major obstacle for this are scaling issues
related to routing and filtering. 

I am network manager for a pretty much medium-sized ISP, with around
1700 internal network blocks; 600 of which come from dynamic sources.
(RADIUS; variuos routing protocols). Given that a stock router will
run out of filter lists long before the 600 mark I see major scaling
problems here. (Outside of our network we show around 30 BGP network
aggregates).

This must be database driven, properly authenticicated, and fast enough
to be able to track re-routing in the network. This technology does not
exist, and will have to be designed, implemented on standard hardware
and rolled out into production networks to get proper address integrity on
the Internet.

The second chance is between the ISP and the Internet Core. Here BGP
is used for interaction, and the BGP aggregates should be nailed up.
Filter lists to match these are relatively easy to generate, but it
means that some core routers will evaluate filter lists for some
10-100 megabits of traffic. Current routers can do that up to the low
two-digit megabits, so for a medium-sized ISP far outside of the US
we can use this approach; but for the large players this is a non-starter.

I strongly recommend such filtering in sections 5.7 and 5.8 of my 
"Security Expectations for Internet Service Providers" draft
  ftp://ds.internic.net/internet-drafts/draft-ietf-grip-isp-02.txt
and we've heard Paul plug 
  ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-03.txt
here many times.

To answer Owen comments regarding the difficulty of filtering for
transit providers, I argue that filtering should happen as close to the
actual hosts as possible.




Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk () nwnet net
--
       ___
===   /     /  /   __   ___  _/_  ===  Morten Reistad, Network Manager
===  /---  /  /  /  /  /__/  /    ===  EUnet Norway AS, Sandakerveien 64, Oslo
=== /___  /__/  /  /  /__   /     === <Morten.Reistad () Norway EU net>
=== Connecting Europe since 1982  ===  phone +47 2209 2940


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]