Home page logo
/

nanog logo nanog mailing list archives

RE: On the back of other 'security' posts....
From: "Stephen J. Wilcox" <steve () telecomplete co uk>
Date: Sun, 31 Aug 2003 13:25:33 +0100 (BST)


On Sat, 30 Aug 2003, Terry Baranski wrote:

Sure, blocking spoofed traffic in the limited cases where it is feasible at
the edge would be a good thing, but, I don't see failure to do so as
negligent.

In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)

Where the customer is not a basic end user.. an ISP for example who may be 
transiting traffic from netblocks that are not theirs.

We still have the other problem where a lot of large networks are using RFC1918 
addresses that do not get NAT'd thus filtering will break pMTU.. this is an 
issue in my experience mainly for those who host websites, altho many of those 
are filtering their own packets anyway and have broken sites!

Where exactly do you think that the duty to care in this 
matter would come from for said ISP?

Isn't the edge by far the easiest and most logical place to filter
spoofed packets?  What are the good reasons not to do so?    

It is the only place, virtually any source and destination address could pass 
across our network core, there is no way to filter at any part of the Internet 
backbone

Again, I just don't see where an ISP can or should be held liable for
forwarding what appears to be a correctly formatted datagram with a valid
destination address.

I guess "correctly formatted" is a relative term.  When *isn't* a packet
with a spoofed source IP address guaranteed to be illegitimate?  Maybe
such packets shouldn't be considered "correct".  

Edge filtering ok. But in general it is not the job of the IP router to look 
into the higher level protocols to determine what the packet does. Look up 
papers on why this would be bad, RFC3439 by Randy and Dave Meyer is a good read!

Steve


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]