Hmm, well sounds as if there may be a technical problem after all. First, an
intrusion detection problem: does this stream of packets have forged source
addresses? Then, a traceback problem: if so where do these packets originate
from?
Presuming these problems were solved, what would one do with the
information? Go to the offending ISP and ask: "Someone is forging source
addresses from your domain, can you please institute source filtering to
stop them?"
jak
----- Original Message -----
From: "Fred Baker" <[EMAIL PROTECTED]>
To: "James Kempf" <[EMAIL PROTECTED]>
Cc: "Pekka Savola" <[EMAIL PROTECTED]>; "Jun Bi" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, September 20, 2006 3:22 PM
Subject: Re: [SAVA] Re: [Int-area] Call For Participation and
Interest:SourceAddress Validation Architecture (SAVA)
On Sep 20, 2006, at 9:02 AM, James Kempf wrote:
Here's an idea (which, BTW, I'm not adovocating). ISPs agree that if
they detect spoofed packets from someone they cut off forwarding to/from
that AS until the problem is fixed. Really simple and modestly
straightforward to deploy, but not a technical solution. It requires the
RIRs and operator associations to issue a policy, and the operators to
agree to it.
well, there's the rub.
If the source address is spoofed, it's pretty hard to say what AS the
packet arrived from. If you can detect the spoofed packet on a link to a
neighboring AS, you could cut off that AS, but you won't know whether
that AS actually allowed it in or whether it has some other customer that
allowed it in. You only know it got to you.
Unless someone shows me numbers to the contrary, I'll bet that the most
probable case in which you will received spoofed packets is on the links
that give you the most packets, which is to say the ones that pay you the
most money or which you pay the most money to gain access to. Cutting
those connections off costs you real money.
Now, if the ISPs tell me they're willing to abide by such a policy, I'm
all for it, but I'll bet a good meal in a great restaurant that they're
not the ones that propose the idea.
Lots of incentive for operators to deploy. But there's really no role
for IETF in this, unless there is need for some technical solution to
propagate information on malfactors around, or to terminate forwarding.
The problem is, most Internet types don't like this kind of thing. It
smacks of "regulation" (in fact, it is a kind of regulation, self
regulation). Personally, I think the Internet is better off without a
lot of regulation. If and when a significant chunk of national economic
activity moves online such that these kinds of problems end up
negatively impacting national GDP, the problem will fix itself.
Governments will step in, maybe the ITU will get involved to ensure that
the bad guys can't escape. I hope I'm not around when that happens.
jak
_______________________________________________
SAVA mailing list
[EMAIL PROTECTED]
http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
