[39154] in North American Network Operators' Group
Re: peering requirements (Re: DDOS anecdotes)
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Wed Jun 27 03:16:25 2001
Message-Id: <4.3.2.7.2.20010627100734.00aecce0@max.att.net.il>
Date: Wed, 27 Jun 2001 10:15:04 +0200
To: Paul A Vixie <vixie@mfnx.net>, nanog@merit.edu
From: Hank Nussbacher <hank@att.net.il>
In-Reply-To: <200106262152.OAA46951@redpaul.mfnx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 14:52 26/06/01 -0700, Paul A Vixie wrote:
> > o source filtering at high bandwidth
>
>i consider this nonsoluable. some routers can already do it, but making the
>ownership and deployment of such routers be the minimum price of entry into
>the peering game is a fatal nonstarter of an idea. and the infrastructure
>for expressing netblock ownership in a way that could be used to build
>accurate and reliable filters (assuming the routers could load such filters
>and act on them at wire speed) isn't there. i think this way lies madness.
>
>source filtering is an edge problem, at current technology levels. but how
>to ensure that other people do it at THEIR edge is a separate problem from how
>to do it at YOUR edge. the former is social/economic, the latter is
>technical.
I have found a fairly easy way to make this start happening. When putting
out an RFI/RFP for some Internet connectivity/Web hosting/VPN/etc. - in
addition to putting in the obvious rtt minimums, SLAs, OC-48 backbones,
24x7 NOCs, etc. I have started to include the following:
- anti-spoofing source filtering
Even if the ISP can't do it - the sales and marketing people are now
driving the change process. The more RFI/RFPs that ISPs see that contain
such a mandatory section, the more the network will become a better place
to live. There are more than enough consultants/people on this list that
can drive this process very quickly.
-Hank
PS I also include "human response to abuse@ email within 24 hours" :-)
