[168671] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Feb 3 02:08:48 2014
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Mon, 3 Feb 2014 07:08:25 +0000
In-Reply-To: <D811EDF8-B9C5-4723-BD0B-5E13D55F9465@deman.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 3, 2014, at 1:54 PM, Michael DeMan <nanog@deman.com> wrote:
> I certainly would not want to provide as part the AUP (as seller or buyer=
), a policy that fundamentals like NTP are 'blocked' to customers. Seems l=
ike too much of a slippery slope for my taste.
The idea is to block traffic to misconfigured ntpds on broadband customer a=
ccess networks, not to limit their choice of which ntp servers to use.
> In regards to anti-spoofing measures - I think there a couple of vectors =
about the latest NTP attack where more rigorous client-side anti-spoofing c=
ould help but will not solve it overall.
Rigorous antispoofing would solve the problem of all reflection/amplificati=
on DDoS attacks. My hunch is that most spoofed traffic involved in these a=
ttacks actually emanates from compromised/abused servers on IDC networks (i=
ncluding so-called 'bulletproof' miscreant-friendly networks), but I've no =
data to support that, yet.
> Trying to be fair and practical (from my perspective) - it is a lot easi=
er and quicker to patch/workaround IPv4 problems and address proper solutio=
ns via IPv6 and associated RFCs?
There's nothing in IPv6 which makes any difference. The ultimate solution =
is antispoofing at the customer edge.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
