[52663] in North American Network Operators' Group
RE: Who does source address validation? (was Re: what's that smell?)
daemon@ATHENA.MIT.EDU (Mark Borchers)
Tue Oct 8 11:22:52 2002
From: "Mark Borchers" <mborchers@igillc.com>
To: "Sean Donelan" <sean@donelan.com>, "Joe Abley" <jabley@isc.org>
Cc: "Kelly J. Cooper" <kcooper@genuity.net>, <nanog@merit.edu>
Date: Tue, 8 Oct 2002 10:21:52 -0500
In-Reply-To: <Pine.GSO.4.40.0210081056310.12533-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
IMHO, it's not too bad if you do it at your edges. Explicit
permits for valid source addrs is a well-known defense against
source spoofing which of course also addresses the RFC1918
leakage issue to some degree. It's not that hard to incorporate
this into customer installation and support processes.
A lot more difficult to manage at the borders.
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Sean Donelan
> Sent: Tuesday, October 08, 2002 10:09 AM
> To: Joe Abley
> Cc: Kelly J. Cooper; nanog@merit.edu
> Subject: Who does source address validation? (was Re: what's that
> smell?)
>
>
>
> On Tue, 8 Oct 2002, Joe Abley wrote:
> > What is difficult about dropping packets sourced from RFC1918 addresses
> > before they leave your network?
> >
> > I kind of assumed that people weren't doing it because they were lazy.
>
> I've checked the marketing stuff of several backbones, as far as I could
> tell only one makes the blanket statement about source address
> validation on their entire network.
>
> http://www.ipservices.att.com/backbone/techspecs.cfm
>
> AT&T has also implemented security features directly into the backbone.
> IP Source Address Assurance is implemented at every customer
> point-of-entry to guard against hackers. AT&T examines the source
> address of every inbound packet coming from customer connections to
> ensure it matches the IP address we expect to see on that packet. This
> means that the AT&T IP Backbone is RFC2267-compliant.
>
> What backbones do 100% source address validation? And how much of it is
> real, and how much is marketing? On single-homed or few-homed stub
> networks its "easy." But even a moderately complex transit network it
> becomes "difficult." Yes, I know about uRPF-like stuff, but the router
> vendors are still tweaking it.
>
> If there is a magic solution, I would love to hear about it.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
>
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
>
>
