On Thu, 2 Sep 1999, Matthew G. Harrigan wrote:
> > It's no different than any other address space that gets advertised by
> > multiple entities. Tier-1 providers should be filtering their ingress
> > routes anyway, not that it should matter unless you're the destination.
> > Sourced packets from any source address will reach you, the IANA reserved
> > blocks shouldn't mean anything different than any other spoofed packet to
> > a network.
>
> My point exactly.
My point is that the IANA blocks hold no "special" status in this
regard. If you're sourcing the packets, it's your data leaking, so
Tier-anything providers really shouldn't mind. If you're accepting the
packets then it's up to you how you deal with that data. I don't see any
special culpability on other network operators to stop anything other
than falsely-sourced packets from their AS'. Even in that case,
filtering what you accept removes the potential harm from such packets in
the case of the "reserved" blocks.
> Ok, saying you "shouldn't do such things" is fine for conversation, but tell
> this
> to the near 50 Tier 1's (this number expands and contracts on almost a
> weekly basis
> depending on who's acquiring or striking deals with who). My point is that
I don't need to, I need only deal with my Tier-1's and ensure that
they're enforcing peering. If I have a problem with one of my providers
advertising a reserved netblock, I can call them and ask them why the
hell they're not filtering it. Why should the other N providers worry
me? If I wasn't filtering them, and I was that worried, I'd have a cron
job look at the BGP data and auto-e-mail my provider and the offending
AS' contact.
> the
> Internet doesn't operate on what people say, it operates on what people do,
> and
> that you have to account for reasonable levels of chaos when dealing with
> larger numbers
Hence ingress filtering and access lists at your borders.
> of individuals. The probability that people make routing mistakes is
> high...the
These days most Tier-1's do ingress route filtering, and I'd put the
probability lower than "high", things were a lot worse once upon a time,
and there are much more common and damaging routing mistakes when dealing
with BGP.
> probability that the mistake made is "routing private addressing to others"
> is less, but significant,
> and last.. the probability that two major providers do it at the same time
> is even less,
> but still there. As far as the ACL stuff goes, some folks implement it,
> some don't.
Then they'll have to deal with the results of not implementing it. I'd
be far more concerned about an invalid announcement of my own netblock
than I would of the 1918 addresses, even if I didn't filter it, used NAT
and/or stateful firewalls, and allowed untested equipment to be part of
my security infrastructure.
Some folks implement firewalls, some don't- that impacts well-managed or even
poorly managed networks more fully than announcing 1918 networks.
Why do you think it would be more significant if two providers advertised
themselves as routes to the address space at once? Your theoretical
leaked packets would simply chose the best path to one of the two.
If you're expecting two leaking networks to start talking to each other,
realize that (a) both networks would have to leak packets, (b) both
networks would have to accept leaked packets, (c) both leaky network's
providers would have to annonce *different* parts of the 1918 networks,
which their clients' would have to happen to be using internally, (d)
host addressing would have to coincide, (e) neither provider would be
doing ingress filtering on those networks nor any of their peers if they
didn't directly peer with one another, and more importantly (f) the
internal routing infrastructure at both entities would have to recognize
the "foreign" 1918 networks as non-local (pretty much removing the
possibility of accidental traffic to the wrong machine.) The likelyhood of
that happening is pretty slim, and is far out enough to not lose any
sleep over.
> > People have announced routes to the 1918 netblocks before. Broken load
> > balancing and NAT equipment has leaked before, it'll happen again, but it
> > shouldn't be a big deal on a well-run network. If you don't trust the
> > equipment, switch to proxy servers, you're not going to leak then.
>
> and is the full impact of this visible?
Define "full impact." Packets sourced at 1918 addresses only impact the
receiving equipment's stack. In the case of an advertisement, unless the
advertisee is set to listen on the addresses, there's not a lot of
impact. If they are, I expect they'd receive a lot of replies to spoofed
packets. It's almost worth trying to talk ARIN into allowing
advertisement to go hunting.
Every once in a while (and it's been a while- probably about that time)
someone advertises one, or worse advertises someone else's real netblock --
folks who's providers aren't doing good ingress filtering and who leak get
bitten. Those are fairly uncommon occurances, and having your legitimate
addresses advertised to a bogus AS is worth far more on the damage value
scale, since it requires your traffic peers to know to block with
filtering, an almost insolvable problem if your peers are net-wide
instead of housed under the same Tier-N routing structure. Worse-yet,
the advertiser can still forward your packets back to you afterwards in
some to most instances.
> has other equipment received packets which weren't destined to it?
Mostly it affects routers, which don't act on the packets other than to
forward them. For bad NAT and load-balancing stuff, the data was
destined, just misaddressed on the source IP field and dropped (with
filters/inspection engines logging it.)
Given the number of potential route paths to your network from any point
on the Internet, the number of "legitimate" destinations for your packets
in-transit make the spectre of illigitimate hosts rather undaunting.
Expecting best-path over legitimate and guarded infrastructure is
likely to be more common a failure as the length of time someone
advertises a 1918 address block before someone notices and their peers clamp
down. Stopping BGP from picking "better" routes from bad sources is a
much easier to make mistake, especially in the complex configurations
most large-scale providers with multiple peering points use.
Ask your provider if they filter it - if you don't accept BGP from them and
filter it yourself (or filter it using ACLs yourself.) At that point,
it's a solved problem for you other than leaking to their network. You
can filter outbound on your egress routers, or you can accept the leakage
if you're using leaky equipment/technologies.
Search the NANOG archives if you want a provider's eye view of such,
there's bound to be posts from the last few times it's happened somewhere
in there.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
