[191978] in North American Network Operators' Group
RE: Legislative proposal sent to my Congressman
daemon@ATHENA.MIT.EDU (Harry Crowder)
Wed Oct 5 13:50:51 2016
X-Original-To: nanog@nanog.org
From: "Harry Crowder" <hcrowder@empiricalnetworks.com>
To: "'Larry Sheldon'" <larrysheldon@cox.net>,
"'Stephen Satchell'" <list@satchell.net>, <nanog@nanog.org>,
<ietf-action@ietf.org>
In-Reply-To: <16951763-5f17-7d29-6e07-2c1dd49cf6af@cox.net>
Date: Wed, 5 Oct 2016 09:15:57 -0500
Cc: soc@us-cert.gov, action@eff.org
Errors-To: nanog-bounces@nanog.org
The term you are referencing is unicast reverse path verify strict/hard =
mode
Enforces that the packets source can be reached via the interface of the =
receiving traffic
If this is generaly applied at all provider edge routers and =
dsl/dialup/vpc pop's would solve the spoofing issue as a whole
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Larry Sheldon
Sent: Monday, October 3, 2016 5:36 PM
To: Stephen Satchell <list@satchell.net>; nanog@nanog.org; =
ietf-action@ietf.org
Cc: soc@us-cert.gov; action@eff.org
Subject: Re: Legislative proposal sent to my Congressman
On 10/3/2016 13:58, Stephen Satchell wrote:
> In thinking over the last DDos involving IoT devices, I think we don't =
> have a good technical solution to the problem. Cutting off people=20
> with defective devices they they don't understand, and have little=20
> control over, is an action that makes sense, but hurts the innocent. =20
> "Hey, Grandma, did you know your TV set is hurting the Internet?"
>
> It's the people who foist bad stuff on the people who need to take the =
> responsibility. Indeed, with enough moxie, we could avoid the net=20
> saturation problem in the first place.
>
> My proposal, as I sent it to my US House Representative:
>
[much snipping]
> Why not nip the IoT problem in the bud?
Why not, indeed? (Full disclosure: I am not and have not for some =
years been active in management of any networks, and I AM woefully =
behind the state of the arts.)
Having said that, it occurs to me that Mr. Satchell's proposal (and most =
of the others I have read about here and elsewhere lately) are doomed to =
the same failure as Chicago's plan for reducing illegal deaths by =
firearm, and for much the same reason (discussion of which here I will =
spare you.
Back in the day, I was fighting a problem that I summarized (then and
now) as trying to stop the use and abuse of the University's (that =
employed me) 56kb Frame Relay link to the Internet. Then as now I =
defined "abuse" as the use of our facilities for purposes that no =
stretch of imagination or definition could be said to be to the =
University's benefit.
Through some experimentation I concluded that there were several clearly =
identifiable sources of abuse. I disremember the ordering by severity =
but they included:
Outright attacks on the University and others.
Myriad "scans" for a variety of reasons.
The first of these two I remember as being the worst (in terms of =
item-count AND in terms of packet-size. I also recall it being the =
easiest to fix, if anybody want to fix it. (The dominant reasons given =
where that it would cost money without a revenue stream, and it would =
reduce traffic that WAS in the revenue stream. The fix I proposed:=20
Require (by law) that every service provider and every origination =
customer of a service provider would under penalty of law, block the =
transmission of a packet whose source address could not be reached via =
the link upon which it was found.
The Myriad scans problem was a little harder (for among other =
reasons--the argument that they were good for us, even though they =
accounted for something like 60% of the traffic on that link). The =
solution I tried but ran out of dollars on was to detect somebody =
scanning and route them to the Loopback interface of the boundary =
router.
--
"Everybody is a genius. But if you judge a fish by its ability to climb =
a tree, it will live its whole life believing that it is stupid."
--Albert Einstein
From Larry's Cox account.
