[74879] in North American Network Operators' Group
Re: BCP38 making it work, solving problems
daemon@ATHENA.MIT.EDU (Fred Baker)
Tue Oct 19 08:20:27 2004
Date: Tue, 19 Oct 2004 08:19:32 -0400
To: JP Velders <jpv@veldersjes.net>
From: Fred Baker <fred@cisco.com>
Cc: Paul Vixie <vixie@vix.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.58.0410191309360.12384@jp-gp.vsi.nl>
Errors-To: owner-nanog-outgoing@merit.edu
At 01:11 PM 10/19/04 +0200, JP Velders wrote:
>As it was "in the old days": first clean up your own act and then start
>pointing at others that they're doing "it" wrong.
hear hear... But Paul knows and in fact does that. He is pointing out the
difficulty of getting people to do basic things that are for their own
benefit.
For example, how many ISPs use TCP MD5 to limit the possibility of a
BGP/TCP connection getting hijacked or disrupted by a ddos attack? But this
has been in the code since ~1990, and was put there because of a fairly
serious and specific attack that was made on Internet routing, and benefits
primarily the ISP that enables the procedure in that it knows that its
routes are coming to it from systems it has chosen to trust.
Ingress filters help the ISP that installs them, in that a certain class of
attacks are prevented among customers of the ISP. Would it be better if all
ISPs and all edge networks put appropriate filters in place? Absolutely.
But even if they do not, the ISP saves itself that much trouble.
Where ingress filters don't help, of course, is when the attacks come from
an apparently-legitimate address. Then we are off to other tools.
