[161502] in North American Network Operators' Group
Re: [c-nsp] DNS amplification
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Mar 18 09:26:09 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAL9jLaYHp_5BKFsAAPfUAAyrJf42aPRhB=rA3awC-a-8Anftbg@mail.gmail.com>
Date: Mon, 18 Mar 2013 09:25:53 -0400
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: nanog@nanog.org, Arturo Servin <arturo.servin@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 17, 2013, at 8:55 PM, Christopher Morrow =
<morrowc.lists@gmail.com> wrote:
> On Sun, Mar 17, 2013 at 6:36 PM, Arturo Servin =
<arturo.servin@gmail.com> wrote:
>>=20
>> They should publish the spoofable AS. Not for public shame but =
at least
>> to show the netadmins that they are doing something wrong, or if they
>> are trying to do the good think is not working.
>>=20
>> Or at least a tool to check for your ASN or netblock.
>=20
> I don't disagree, but I'd point out that there are likely easier
> places to do bcp38 than others in everyone's network(s)... So, 'I do
> bcp38' unqualified is not as helpful, especially when almost all
> consumer grade links are bcp38 by default, which is likely where a
> bunch of this measurement originates. (well, I suspect a bunch of it
> is from consumer-grade links anyway)
(Not sure how this made it from c-nsp to nanog, but ...)
uRPF/BCP38 is an important part of a global solution. Similar to =
open-relays, smurf amplifiers, and other "badness" on the network, one =
must assist the global network by deploying it where it makes sense.
Deploying it at your customer ports may make sense depending on your =
network. Deploying it on peers may also make sense.
I think having a simple set of locations where people actually deploy it =
is critical, eg:
Colocation Network
Server Lans
VPS Lans
Static Routed Customer Edge
This should be the default, and something I've pushed at my employer for =
years. =20
If you do nothing, you can expect nothing as the result. If you attempt =
do so something, you can at least get an idea of where it's not coming =
from. At least target these easy edges of the network where there is =
some value.
- Jared=
