The original point was that a leaf network might find itself sued if it allows
packets to leave with a bogus source IP address. Perhaps we should write-up a RFC
about leaf networks restricting outgoing packets with egress filtering. It wouldn't
completely stop DDoS but it would make the AOL/EarthLink/Home etc.. networks much less
likely to be sources of spoofed packets.
Cable modems are in the 24.0.0.0/8 and 65.0.0.0/10 IP space. If they only allowed
those IP's to leave, cable modems wouldn't be used for DDoS other than to cable modem
customers. And even if the source address were forged to be another cable modem
address, it would still make back tracing a lot easier because one would start at the
cable network border routers rather than every possible backbone connection.
If an ISP is ferrying traffic, it should be doing ingress filtering on input so that
egress filtering is not necessary for backbone routers but only leaf routers.
It is not a perfectly simple problem but I believe it is as solvable as BGP routing.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, June 10, 2001 08:27
To: [EMAIL PROTECTED]
Subject: RE: This is a must read document. It will freak you out
Egress filtering at border points is appropriate for leaf networks.
Many ISPs, though, also ferry third-party traffic between their
peering points; it would be inappropriate for them to accept traffic
that an egress rule elsewhere will prevent them from delivering.
This isn't to day that it can't or shouldn't be done, only that
determining how much filtering should be done, and at which routers,
may be less simple for multi-homed ISPs than it sounds.
David Gillett
On 9 Jun 2001, at 21:16, Paul D. Robertson wrote:
> On Sat, 9 Jun 2001, Bill Royds wrote:
>
> > Note: RFC 2267 has been superseded by RFC 2827
>
> Thanks, I had indeed missed that.
>
> >
> > You are correct, RFC2827 is not a standard but it is a Best Current
> > Practice (BCP0038) which could be used as a precedent in a lawsuit if
> > it came to that. RFC2827 is about ingress filtering for backbones
> > rather than egress filtering for ISP's but the rules are similar. It
> > is just which side of the peering point you are looking at. Egress
> > filtering would require a lot less horsepower then ingress filtering
> > because the border router already has routing tables for what IP
> > blocks it accepts traffic. Using this on source address of outgoing
> > traffic adds not much more memory overhead (although it does add more
> > CPU cost). This is just applying routing rules to outgoing traffic as
> > well as incoming traffic rather than doing any censoring.
> > The golden rule of egress filtering: Only allow packets out of your
> > network with source IP address that you would allow in.
> >
>
> So, since we seem to be in basic agreement here- is there anyone who can
> come up with a significant impediment to mandatory egress filtering rules
> other than getting buy-in (ISO layer 8 issues)?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
