[27068] in North American Network Operators' Group
Re: Yahoo! Lessons Learned
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Tue Feb 8 23:26:54 2000
Date: Tue, 8 Feb 2000 20:24:55 -0800
From: Vadim Antonov <avg@kotovnik.com>
Message-Id: <200002090424.UAA08017@kitty.kotovnik.com>
To: dts@senie.com, nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
Daniel Senie <dts@senie.com> wrote:
> While implementing these measures may not directly benefit your network,
> doing so may thwart an attack against someone else's net. Tomorrow, the
> roles could be reversed. As with many areas of managing the Internet,
> cooperation is key.
Yep. Actually, tier-1 ISPs can write the requirement for reverse-path source
IP address verification on customer access circuits into their peering agreements.
An enforcement can take a form of penalties per verified incident of forged source
address attack originating in peer's network.
(The adversarial IP perfix filtering was needed to institute such prefix-reduction
policies as aggregation and address allocation out of ISP blocks. I remember that
purely voluntary efforts were pretty much derailed by negligience of some ISPs
(why AS 174 comes to the mind? :) I do not expect reverse path filtering to be
any different in terms of deployment problems.)
--vadim
