[32123] in North American Network Operators' Group
Re: Defeating DoS Attacks Through Accountability
daemon@ATHENA.MIT.EDU (Mark Mentovai)
Sat Nov 11 11:29:20 2000
From: "Mark Mentovai" <mark-list@mentovai.com>
Date: Sat, 11 Nov 2000 11:27:20 -0500 (EST)
To: Mark Prior <mrp@connect.com.au>
Cc: Simon Lyall <simon.lyall@ihug.co.nz>, nanog@merit.edu
In-Reply-To: <20001111094606.0ED6510B25@kuji.off.connect.com.au>
Message-ID: <Pine.GSO.4.21.0011111117040.11441-100000@pine.ggn.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Mark Prior wrote:
>It's not the route filters per se, it's the fact that the principle we
>use is if you don't announce the route to us we won't accept traffic
>sourced by that network. Saying that you are the source for the
>network but not advertising the route doesn't cut it.
Not so fast, there are situations when you are authorized to have a certain
chunk of address space but elect not to advertise it a certain way for
whatever reason. Maybe someone has a pipe that they want to use for
outbound traffic only and they don't want to use it at all inbound traffic,
and as a result, they don't advertise their routes across it. What
justification do you use for dropping traffic that falls into this category?
Obviously, I wouldn't want a situation where I could simply give my provider
a list of addresses for them to permit without checking that I'm authorized
- providers should always check that their customers are authorized to use
the blocks they intend to use.
I'll put it this way: filtering should be done against blocks that a
customer can announce, not against blocks that a customer is actively
announcing. If you're filtering purely against current advertisements,
you're bound to break something sooner or later.
Mark
