[87987] in North American Network Operators' Group
Re: DOS attack against DNS?
daemon@ATHENA.MIT.EDU (Daniel Senie)
Mon Jan 16 16:39:39 2006
Date: Mon, 16 Jan 2006 16:22:18 -0500
To: Joel Jaeggli <joelja@darkwing.uoregon.edu>,
Paul Vixie <vixie@vix.com>
From: Daniel Senie <dts@senie.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.64.0601160943150.30093@twin.uoregon.edu>
Errors-To: owner-nanog@merit.edu
At 12:52 PM 1/16/2006, Joel Jaeggli wrote:
>On Mon, 16 Jan 2006, Paul Vixie wrote:
>
>>
>>Mark_Andrews@isc.org (Mark Andrews) writes:
>>
>>> For repeat offenders create a list of networks that won't
>>> implement BCP 38 and collectively de-peer with them telling
>>> them why you are de-peering and what is required to
>>> re-establish connectivity. It is in everyones interests
>>> to do the right thing here.
>>
>>people inside one of the largest networks have told me that they have
>>customers who require the ability to bypass BCP38 restrictions, and that
>>they will therefore never be fully BCP38 compliant. i've asked for BCP38
>>to become the default on all their other present and future customers but
>>then there was whining about bankruptcy, old outdated equipment, and so on.
>>sadly, there's no way to de-peer this network, or any other multinational,
>>and so there will be no "peer pressure" on them to implement BCP38.
>
>Consider people in the rest of the world who may purchase simplex
>satellite links. By definition they inject traffic in places they
>aren't announcing their route from.
Sounds like the landing sites would not be able to use Unicast RPF.
However, they could still use BCP38. Nothing says the filters have to
be magically generated from routing data (not that uRPF really does
that either, since it works off the FIB on most routers).
Mobile IP had the same set of issues when we were first working on
the ingress filtering drafts. In their case, a bit of tunneling
solved the issue. While tunneling could easily solve the satellite
case too, there may be resistance to that.
