[68286] in North American Network Operators' Group
Re: Source address validation (was Re: UUNet Offer New Protection
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sun Mar 7 17:47:57 2004
Date: Sun, 7 Mar 2004 17:47:09 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g3oer8wbgv.fsf@sa.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 7 Mar 2004, Paul Vixie wrote:
> in the therefore-unreal world i live in, the ability to tell a GWF ("goober
> with firewall") that the incident report they sent our noc could not possibly
> have come from here, is a net cost savings over having to prove it every time.
Of course, some people claim large networks say that anyway so there is
not net cost savings :-)
In practice, GWF's do not send reports to noc's about packets which could
not have possibly have come from here. They send reports about packets
which have our IP addresses, but didn't originate here. The last thing
you want to admit is you do SAV because GWF think SAV means every packet
with that source address must have originated here.
Whether or not we do SAV or everyone else does SAV, it doesn't save any
time validating if a packet stream originated here. Did the packet
actually originate here, or did SAV fail somewhere and it originated
somewhere else?
Dear NOC, 192.5.5.241 is attacking me. Prove it isn't. Rinse, Lather,
Repeat. Maybe you got hacked in the last 5 seconds, and now you really
are attacking them.
