[32132] in North American Network Operators' Group
Re: Defeating DoS Attacks Through Accountability
daemon@ATHENA.MIT.EDU (Mark Prior)
Sun Nov 12 00:26:51 2000
To: Valdis.Kletnieks@vt.edu
Cc: Mark Mentovai <mark-list@mentovai.com>,
Simon Lyall <simon.lyall@ihug.co.nz>, nanog@merit.edu
In-reply-to: Your message of "Sat, 11 Nov 2000 22:48:52 CDT."
<200011120348.eAC3mrw23276@black-ice.cc.vt.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <12426.974006506.1@connect.com.au>
Date: Sun, 12 Nov 2000 15:51:46 +1030
From: Mark Prior <mrp@connect.com.au>
Message-Id: <20001112052152.31B1710B25@kuji.off.connect.com.au>
Errors-To: owner-nanog-outgoing@merit.edu
> Not so fast, there are situations when you are authorized to have a certain
> chunk of address space but elect not to advertise it a certain way for
> whatever reason. Maybe someone has a pipe that they want to use for
> outbound traffic only and they don't want to use it at all inbound traffic,
> and as a result, they don't advertise their routes across it. What
> justification do you use for dropping traffic that falls into this category?
It's a general principle.
Anyhow, they're going to get damned little inbound traffic unless they
announce a route for it to *someplace*. I think the original *general*
policy was "If we don't have ANY route for it, we don't accept the traffic",
which sort of makes sense - how would you get through a TCP 3-way handshake
if the SYN+ACK always got back a ICMP Host Unreachable? I saw no requirement
that the routing not be assymetric, only that routing exist.
I'm sure Mark Prior will correct me if I mis-read him... ;)
Actually since we use "ip verify unicast reverse-path" we expect the
route to come from the same place as the traffic.
Mark.
