Re: IP renumbering timeframe
On Mon, 6 May 2002, Ralph Doncaster wrote: What is the generally accpted timeframe for renumbering? My reading of ARIN policy would seem to imply at least 30 days. I've read some of your other notes so I'm aware there may be extenuating circumstances. That said, I want to mention normal policies as far as I can see here If you have a /22 from a provider, then your right to use it generally terminates with the end of the contract with that provider. If you knew this relationship was going bad, the correct thing would have been to renumber out of that space as soon as you saw the writing on the wall so to speak and prepare for this event. The bottom line is the space is theirs and they can do whatever they want with it. I know that if I terminate service to a customer (or the customer disconnects with me), I expect an immediate return of the space. If they want to keep it they need to keep service with me. Evidentally, there is no current service arrangement between you and Cogent. It sounds like you've got some stuff for the lawyers to fight about. Most likely cogent has done what a lot of us on the list would expect to be the right thing in relation to the space - immediately revoke use of address space upon termination of service. About the only leg you might have to stand on as far as this is concerned is the termination notice term language in the contract you signed with them ... I.E. they may have to give you 30 days notice of termination of service, or if you gave them notice, they might have to provide service for the remainder of the notice term. That said, I'd recommend you get runumbering as it will probably be faster to renumber than to work something out with cogent as it sounds like you aren't on the best of terms with them. - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: IP renumbering timeframe
Well how am I supposed to arrange a payment on a Sunday afternoon? As well I'd say I've already paid them more than enough to use their IPs - I never brought up a BGP session with them and never passed a single packet to them. I'm surprised to hear that such extortion techniques are considered acceptable. Read your contract with Cogent carefully. I know our contract states that any IP addresses allocated must be returned at termination of contract. As with all PA address space, I would suspect this is the norm. Ours too but we'd still be reasonable, even with a company we had a major dispute with (altho we might give them 1 month instead of 6 to return them!). I think they're on dangerous ground, whether or not their contract says the IPs should be returned if they not only stop routing them but then start contacting third parties that they have no relationship with and ask them to stop routing them with the end result being that your business cannot function then I'd say this looks more malicious than pure business and I'd suggest to them a courtroom might view it that way too. I dont like legal battles tho, so I'd probably contact them.. suggest they are harming your business illegally and that a month or two is not unreasonable to get alternative arrangements in place, dispute or not. Steve
Re: /31 mask address
Has anyone used /31 mask addresses on their network? Yes, works fine (on an all Cisco network). Maybe not interesting for an ISP, but I'm using it on a vlan interface on a 6500/7600. It works fine with IOS 12.1.8-EX5, but 12.1.11-E1 refused the configuration because it's not a p2p interface. I know, documentation only talks about p2p, but sometimes I don't like when a feature gets fixed... Andras
Re: /31 mask address
On Mon May 06, 2002 at 01:35:34PM +0200, JAKO Andras wrote: Yes, works fine (on an all Cisco network). Maybe not interesting for an ISP, but I'm using it on a vlan interface on a 6500/7600. It works fine with IOS 12.1.8-EX5, but 12.1.11-E1 refused the configuration because it's not a p2p interface. I know, documentation only talks about p2p, but sometimes I don't like when a feature gets fixed... Indeed, I found this on Saturday! GSR would let me put a /31 on the ethernet port, but the 6509 at the other end of the ethernet wouldn't. Simon -- Simon Lockhart | Tel: +44 (0)1737 839676 Internet Engineering Manager | Fax: +44 (0)1737 839516 BBC Internet Services| Email: [EMAIL PROTECTED] Kingswood Warren,Tadworth,Surrey,UK | URL: http://support.bbc.co.uk/
Re: portscan?
On Mon, 06 May 2002, blitz wrote: I know theres knowledgable opinion on this list on this topic. Besides Gibson's (www.grc.com) port scan and www.DSLreports.com port scanning tools, is there any others you folks have found that are reliable and don't breed spam? TIA Marc Shell account on an outside box + NMAP? http://www.insecure.org/nmap/ If you're looking for a web-based public utility, http://www.linux-sec.net/Audit/nmap.test.gwif.html has a lot of links to check out. PJ -- The best prophet of the future is the past.
Re: IP renumbering timeframe
On Mon, 6 May 2002, Stephen J. Wilcox wrote: I think they're on dangerous ground, whether or not their contract says the IPs should be returned if they not only stop routing them but then start contacting third parties that they have no relationship with and ask them to stop routing them with the end result being that your business cannot function then I'd say this looks more malicious than pure business and I'd suggest to them a courtroom might view it that way too. This whole thing sounds fishy. He never passed any traffic to cogent, but he was using their IPs. Why wasn't he using Peer1's IPs? Cogent tried to get them shut down on a sunday? Is there a serious BOFH in Cogent's network monitoring group? I doubt the billing department would be open sunday afternoon to order the disconnect, much less know to suggest contacting Peer1 to ask them to stop routing the space. It sounds like there's an awful lot missing from the story. This is why using provider IP space sucks...but you have to plan accordingly. If you're in dispute and plan to terminate service, start renumbering. I've been there and done that. I've also been on the other end and let a customer have several months to renumber, but that was a special case and they left on relatively good terms. A customer who left without paying their bill would likely not be treated so well. -- -- Jon Lewis *[EMAIL PROTECTED]*| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Williams Opinions?
On Mon, May 06, 2002 at 09:58:27AM -0400, Owens, Shane (EPIK.ORL) wrote: Does anyone have any current opinions on Williams IP service and any expected changes with the Chapter 11? Shane Can't speak to their service, as I've never bought anything from them. After multiple spams in the last few months, I can't see that I ever would.
Re: Williams Opinions?
Does anyone have any current opinions on Williams IP service and any expected changes with the Chapter 11? Shane Williams Communications Group Inc. (The Holding Company) has filed, but this, *ostensibly*, should not affect the ongoing operations of their operating subsidiary, Williams Communications, LLC. From the Reuters news release on the subject: -- Williams Communications Files for Chapter 11 TULSA, Okla. (Reuters) - Williams Communications Group Inc. (OTC BB:WCGR.OB - news) said on Monday it has filed for Chapter 11 bankruptcy protection in a bid to restructure and cut its debt by about $6 billion. The company said it filed for bankruptcy protection in the U.S. Bankruptcy Court for the Southern District of New York and expects to file a reorganization plan in the ``near future.'' Its operating subsidiary, Williams Communications, LLC, is not expected to be involved in the Chapter 11 reorganization process, the statement said. The company's Chapter 11 filing comes as the battered telecommunications sector continues to takes a hammering from heavy competition, a glut of fiber-optic networks and bankruptcy filings by other competitors. -- Caveat emptor, FAC.
Re: Williams Opinions?
My oppinion and its just my oppinionAA is that they aren't all that good.:) They tend to route things oddly ie handing a customer a gig E but the next op from the end router is an oc12 when there is an uncongested oc48 available as well. They also seem to have a lot of packet loss and routing strangeness. just my .02 On Mon, 6 May 2002, Owens, Shane (EPIK.ORL) wrote: Does anyone have any current opinions on Williams IP service and any expected changes with the Chapter 11? Shane
NordNog meeting 13-14 May 2002
(Appologies if considered off-topic) Registration is now open for the first Nordic Operator Forum meeting in Stockholm, 13-14th of May 2002 at the Roayal Institute of Technology. The event will be free of charge. Please visit http://www.nordnog.org for information on registering and the agenda.
RE: IP renumbering timeframe
Indeed, you have hit upon one of the significant weaknesses of the ARIN IP registry system - that it relies largely upon the integrity of it's members, in order to properly issue and conserve address space. ARIN is largely based upon the honor system, with one check on the potentially dishonest being a general unwilling to be branded an IP address cheat or poor internet citizen. Of course, should one choose to be somewhat less upstanding of an internet citizen, posting one's intentions to do so on NANOG, frequented as it is by various ARIN people, might not be such a good idea. - Daniel Golding Ralph Doncaster angrily ruminated What it tells me is I should have wasted enough space to consume 8 /24s long ago, so I could get a /20 directly from ARIN. I assign IPs to customers very conservatively. Multiple DSL customers with static IPs are put on a shared subnet instead of one subnet per customer. I easily could have used 8 /24's a year ago and still conformed to ARIN rules. At the time I was only using 3 /24's. We recently reached 8 /24s and applied to ARIN a few weeks ago for a /20, but it sounds like the best thing to do is to use IPs in the most inefficient way possible (while still conforming to ARIN policy) in order to quickly qualify for PI space. -Ralph
Re: Semi OT: Co-Location in Virginia/DC/Maryland
On Mon, May 06, 2002 at 11:45:38AM -0600, Christopher E. Brown wrote: Hoping some of you can send me suggestions on Datacenter/CoLo facilities in the Virginia/DC/Maryland area that can support 20 Racks Multiple providers capable of a minimum of DS3 level service (OC3s available from multiple providers preferred) Stable/Secure/Sane to use facility Usable site supplied UPS, or support for customer provided Symmetra or similar. 24/7 access Multiple providers pretty much means a carrier neutral colo. In the DC area, your big 3 are: Equinix PAIX Switch and Data For price, quality, and if your goal is primarily to purchase transit, I would recommend Equinix, located in Ashburn VA. That said, this isn't the appropriate list for that kind of question. ISP-Bandwidth or ISP-Colo might be more appropriate. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: IP renumbering timeframe
Grant, On 5/6/02 11:03 AM, Grant A. Kirkwood [EMAIL PROTECTED] wrote: Just how big should the DFZ be? What are we trying to solve here? Solve? I wasn't under the impression that anyone was trying to solve anything. Venting of unhappiness, perhaps? But perhaps I'm too cynical... AFAIK, the policy exists because of the supposed shortage of IP space. That is not my understanding. Or rather, this wasn't the basis of policies defined in RFC 2050 or any subsequent policies that I'm aware of (perhaps to the chagrin of those pushing IPv6). IPv4 address space is a _limited_ resource, not necessarily (currently) a scarce resource. The policies described in RFC 2050 documented existing registry address delegation policies established in a (sometimes excruciatingly painful) free-for-all with the ISPs, the IEPG, the IETF CIDRD and ALE working groups, and the various local, national, and regional registries. Look at the introduction of RFC 2050, in particular, the three goals listed. Let's not regurgitate the basement-multihomers discussion. Ah yes, number 2'ing in the pool. I won't mention it if you won't. In any event, the whole point here is that if everybody and their brother start announcing (and withdrawing) routes into the DFZ, ISPs will have two choices: A) watch their routers become non-responsive or crash and (hopefully) reboot B) filter announcements to keep the routing tables and thrash within reason Historically, ISPs have chosen B (Hi Sean! :-)). You'll note that it is the ISPs (not the registries) that have control over what gets into routing tables. Make life hard for the folks that have full routes and they'll make life hard for you. Yes, you can lie through your teeth on address space allocation requests. You'll probably even get away with it (although in my experience, it is surprising how difficult people find staying consistent with their lies). However, as with dumping dioxins into the water table, the end result is somewhat less than appealing. Rgds, -drc
RE: IP renumbering timeframe
But it would seem that given the attitude many have expressed here of if they're not your customer any more, screw 'em., then relying on the honor system is unwise. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Mon, 6 May 2002, Daniel Golding wrote: Indeed, you have hit upon one of the significant weaknesses of the ARIN IP registry system - that it relies largely upon the integrity of it's members, in order to properly issue and conserve address space. ARIN is largely based upon the honor system, with one check on the potentially dishonest being a general unwilling to be branded an IP address cheat or poor internet citizen. Of course, should one choose to be somewhat less upstanding of an internet citizen, posting one's intentions to do so on NANOG, frequented as it is by various ARIN people, might not be such a good idea. - Daniel Golding Ralph Doncaster angrily ruminated What it tells me is I should have wasted enough space to consume 8 /24s long ago, so I could get a /20 directly from ARIN. I assign IPs to customers very conservatively. Multiple DSL customers with static IPs are put on a shared subnet instead of one subnet per customer. I easily could have used 8 /24's a year ago and still conformed to ARIN rules. At the time I was only using 3 /24's. We recently reached 8 /24s and applied to ARIN a few weeks ago for a /20, but it sounds like the best thing to do is to use IPs in the most inefficient way possible (while still conforming to ARIN policy) in order to quickly qualify for PI space. -Ralph
RE: IP renumbering timeframe
Well don't forget its a two way street. If a customer isn't paying their bill then its the provider getting screwed. There is no insentive or in fact good reason to be helpful to this person. I won't be helpful to someone who decides to switch services and not pay me, ever! On the other hand if they are reasonable and if there is a friendly split both sides are more likely bo be reasonable. If someone buys a product say a computer from you, and doesn't pay you will you still service them? Better still if I'm the telephone company and you stiff me for x# of dollars and switch to another carrier do you really expect me to release the same telephone number for you so that you can switch uneffected. Its totally unreasonable to assume when someone isn't paid for their services that they will allow you to continue using their resources. And we're only talking a /20 here not to large a task. On Mon, 6 May 2002, Ralph Doncaster wrote: But it would seem that given the attitude many have expressed here of if they're not your customer any more, screw 'em., then relying on the honor system is unwise. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Mon, 6 May 2002, Daniel Golding wrote: Indeed, you have hit upon one of the significant weaknesses of the ARIN IP registry system - that it relies largely upon the integrity of it's members, in order to properly issue and conserve address space. ARIN is largely based upon the honor system, with one check on the potentially dishonest being a general unwilling to be branded an IP address cheat or poor internet citizen. Of course, should one choose to be somewhat less upstanding of an internet citizen, posting one's intentions to do so on NANOG, frequented as it is by various ARIN people, might not be such a good idea. - Daniel Golding Ralph Doncaster angrily ruminated What it tells me is I should have wasted enough space to consume 8 /24s long ago, so I could get a /20 directly from ARIN. I assign IPs to customers very conservatively. Multiple DSL customers with static IPs are put on a shared subnet instead of one subnet per customer. I easily could have used 8 /24's a year ago and still conformed to ARIN rules. At the time I was only using 3 /24's. We recently reached 8 /24s and applied to ARIN a few weeks ago for a /20, but it sounds like the best thing to do is to use IPs in the most inefficient way possible (while still conforming to ARIN policy) in order to quickly qualify for PI space. -Ralph
Re: Effective ways to deal with DDoS attacks?
What's NANOG's opinion: assuming that uRPF is implemented on all customer interfaces, are there any legitimate purposes for a customer to forward packets with source IP addresses not currently routed by the transit provider towards the customer (either static or BGP)? IP Tunneling - it often makes more sense to send packets out that have a source address reachable only through the tunnel.
RE: IP renumbering timeframe
As I already pointed out, I never passed a packet to Cogent. They were ready to provide service before I was ready to start using it. I paid setup, 1st month service, and then some. And your computer analogy is totally ridiculous. The only service I ever actually used was a /22 of IP space. A /19 from ARIN is $2500 for a year, so if Cogent wanted a couple hundred for my continued use of the /22 for 90 days I would have happily paid it. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Mon, 6 May 2002, Scott Granados wrote: Well don't forget its a two way street. If a customer isn't paying their bill then its the provider getting screwed. There is no insentive or in fact good reason to be helpful to this person. I won't be helpful to someone who decides to switch services and not pay me, ever! On the other hand if they are reasonable and if there is a friendly split both sides are more likely bo be reasonable. If someone buys a product say a computer from you, and doesn't pay you will you still service them? Better still if I'm the telephone company and you stiff me for x# of dollars and switch to another carrier do you really expect me to release the same telephone number for you so that you can switch uneffected. Its totally unreasonable to assume when someone isn't paid for their services that they will allow you to continue using their resources. And we're only talking a /20 here not to large a task. On Mon, 6 May 2002, Ralph Doncaster wrote: But it would seem that given the attitude many have expressed here of if they're not your customer any more, screw 'em., then relying on the honor system is unwise. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Mon, 6 May 2002, Daniel Golding wrote: Indeed, you have hit upon one of the significant weaknesses of the ARIN IP registry system - that it relies largely upon the integrity of it's members, in order to properly issue and conserve address space. ARIN is largely based upon the honor system, with one check on the potentially dishonest being a general unwilling to be branded an IP address cheat or poor internet citizen. Of course, should one choose to be somewhat less upstanding of an internet citizen, posting one's intentions to do so on NANOG, frequented as it is by various ARIN people, might not be such a good idea. - Daniel Golding Ralph Doncaster angrily ruminated What it tells me is I should have wasted enough space to consume 8 /24s long ago, so I could get a /20 directly from ARIN. I assign IPs to customers very conservatively. Multiple DSL customers with static IPs are put on a shared subnet instead of one subnet per customer. I easily could have used 8 /24's a year ago and still conformed to ARIN rules. At the time I was only using 3 /24's. We recently reached 8 /24s and applied to ARIN a few weeks ago for a /20, but it sounds like the best thing to do is to use IPs in the most inefficient way possible (while still conforming to ARIN policy) in order to quickly qualify for PI space. -Ralph
Re: anybody else been spammed by no-ip.com yet?
On Sat, May 04, 2002 at 06:01:49PM -0600, [EMAIL PROTECTED] said: [snip] Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled). Most of the discussion so far has focused on fighting the spam, but most of the methods feel a bit akin to moving an object tied to a rope by pushing the rope. I may get 15 spams from 15 different originating points, with 15 different headers, but they will frequently _all_ be advertising the same site or service. Wouldn't it be simpler to focus efforts on cutting off service to whatever is being spamvertised? It's the single link in the chain that, if cut, will take away the point of the spam. Thinking out loud here ... I realize there are problems (free/throwaway hosting, non-responsive network/hosting providers in other parts of the world, etc. etc.), but I think focusing on removing the motivation for the spam would be easier than trying to stop spam directly. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01627/pgp0.pgp Description: PGP signature
Re: Effective ways to deal with DDoS attacks?
On Wed, 1 May 2002, Pete Kruckenberg wrote: I finally found a paper on this type of attack. http://grc.com/files/drdos.pdf and http://grc.com/dos/grcdos.htm describe the attack and a few possible defenses, though they are about as ineffective as most other DDoS defenses. Has NANOG stooped to quoting Steve Gibson as an expert on DDoS attacks? -Ralph
Re: anybody else been spammed by no-ip.com yet?
On Mon, 6 May 2002, Scott Francis wrote: On Sat, May 04, 2002 at 06:01:49PM -0600, [EMAIL PROTECTED] said: [snip] Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled). Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already) -Ralph
Re: anybody else been spammed by no-ip.com yet?
On Mon, May 06, 2002 at 07:31:47PM -0400, Ralph Doncaster wrote: Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already) Such a beast lives already: Tagged Message Delivery Agent. http://software.libertine.org/tmda/ Yours, Luca -- Luca Filipozzi, ECE Dept. IT Manager, University of British Columbia Office: MacLeod 257 Voice: 604.822.3976 Web: www.ece.ubc.ca/~lucaf gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
Re: Effective ways to deal with DDoS attacks?
On Mon, 6 May 2002, [EMAIL PROTECTED] wrote: On Mon, 06 May 2002 19:04:11 EDT, Ralph Doncaster said: IP Tunneling - it often makes more sense to send packets out that have a source address reachable only through the tunnel. But aren't those source addresses hidden *inside* the encapsulation, and what's visible to routers are the source/dest IPs of the tunnel itself? What I'm saying is that if something comes in through the tunnel, the shortest route to the destination is often not to go back out through the tunnel.
Re: anybody else been spammed by no-ip.com yet?
On Mon, 6 May 2002, Ralph Doncaster wrote: Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already) Tagged Message Delivery Agent. http://software.libertine.org/tmda/ - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
Re: anybody else been spammed by no-ip.com yet?
On Mon, 06 May 2002 19:31:47 EDT, Ralph Doncaster said: 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a And the mailing list you just subscribed to clicks on the URL *how*? Across the hall we got a large Sun box that does some 2M POP3 checks per week, for a 70K+ user community. Explain how your scheme works in that environment OK.. said throw-away dialup tosses one piece of mail, has a little proggie that catches the response and automates the reply, and then proceeds to spam my 70K users. Wow, that slowed them down a lot. ;) msg01635/pgp0.pgp Description: PGP signature
Re: Effective ways to deal with DDoS attacks?
In the referenced message, Steven W. Raymond said:
Stephen Griffin wrote:
Tell them they will need to register their routes in the IRR, even if they
don't necessarily advertise all or any of them. Build your exceptions
based upon the irr, as for all bgp-speaking customers.
not route-filtering. You use the irr-data to populate the exceptions
to strict-mode rpf. The irr is more of a flight-plan of possibility.
If the customer registers both sets of routes, and you use that
data to build the acl, then it doesn't matter what the customer announces
to you. Anything which fails the actual rpf check, will then be
passed through the acl to selectively override the rpf check.
What about existing customers that don't yet use the IRR? Say you
filter some BGP customers' route announcements using manually-built
prefix-lists. Have found that by using distribute-list in (instead of
prefix-list), one can simply refer the distribute-list # in the strict
uRPF configuration and accomplish both functions (route filtering +
uRPF) easily with one ACL.
the IRR is merely an input vector. an alternate input vector is manual
entry. the output would be an acl or prefix-list. I don't believe the
format of a routing-use acl and an RPF-use acl is the same.
My recollection is that when used for route filtering you have:
access-list foo {permit|deny} ip network wildbits netmask wildbits
where for RPF, or traditional traffic filter is
access-list foo {permit|deny} ip source wildbits dest wildbits
I guess you could use a standard acl however I wouldn't recommend
it for filtering routes. Even if you could use prefix-lists for
uRPF, you would want to match more-specifics, whereas generally you
don't want to match (unbounded) more-specifics on route filters.
RtConfig can generate either style from IRR data. It isn't too hard
to generate either style from a manual list either.
e.g.:
ip verify unicast source reachable-via rx 49
access-list 49 permit x.x.x.x 0.0.0.255
access-list 49 permit y.y.y.y 0.0.0.252
access-list 49 deny any log
Prefix-lists are preferable over ACL-based distribute-lists. Hey Cisco,
please make uRPF configuration accept either distribute-lists or
prefix-lists for the exception branching. I realize that to IOS ACLs
and prefix-lists are not the same, but the benefits of prefix-lists vs.
distribute-lists are many.
How would uRPF respond to the following prefix-list?
ip prefix-list foo deny 0.0.0.0/0 ge 25
ip prefix-list foo permit 1.2.3.0/24
ip prefix-list foo permit 0.0.0.0/0 le 16
Would it accept all sources within 1.2.3.0/24? What about 10.0.0.0/8?
I guess it could ignore ge and le. Although how it would resolve
conflicts is an unknown. It might try to correspond to actual prefixes, but
that seems unlikely.
It sounds that a lot of networks rely on IRRs for building BGP customer
route filters. What method then is used for the cases where a customer
is not already using the IRR? Forced IRR registration before BGP
turnup? Or do you fallback on filtering by using prefix- or
distribute-lists?
In my experience, providers that require IRR registration often allow
the customer to register their own objects, or offer to proxy-register
their customers objects. The preference generally being on the customer
registering their own objects, since it gives the customer the greatest
degree of control (especially should they change providers.)
What's NANOG's opinion: assuming that uRPF is implemented on all
customer interfaces, are there any legitimate purposes for a customer to
forward packets with source IP addresses not currently routed by the
transit provider towards the customer (either static or BGP)?
Yes, I think there are definitely legitimate reasons why a customer
would source traffic from prefixes where the actively selected route
does not point back at the interface. This is why acl exceptions and
the loose match came to be. With customers, the acl exception is
probably appropriate. If the customer exhibits sufficient clue, and
demonstrates that they are doing RPF checks, I could definitely see
relaxing restrictions against them. If they are providing transit to
other BGP-speakers, this is probably the case. As in all things, you
know your customer best, so you know how loose you are willing to
make things, with the potential that it may make you look bad.
Re: Effective ways to deal with DDoS attacks?
On Mon, May 06, 2002 at 05:15:25PM -0600, Pete Kruckenberg wrote: I finally found a paper on this type of attack. http://grc.com/files/drdos.pdf and http://grc.com/dos/grcdos.htm describe the attack and a few possible defenses, though they are about as ineffective as most other DDoS defenses. Don't confuse the rantings of a nutcase and his T1 with useful information about DoS. I have to admit I like the direction the made up acronyms are going though, can we have MS-DOS next? :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: Effective ways to deal with DDoS attacks?
Stephen Griffin wrote:
where for RPF, or traditional traffic filter is
access-list foo {permit|deny} ip source wildbits dest wildbits
Hrrmm, since uRPF checks only the source address, the standard ACL
seems most appropriate to me.
I guess you could use a standard acl however I wouldn't recommend
it for filtering routes. Even if you could use prefix-lists for
uRPF, you would want to match more-specifics, whereas generally you
don't want to match (unbounded) more-specifics on route filters.
RtConfig can generate either style from IRR data. It isn't too hard
to generate either style from a manual list either.
It certainly wouldn't hurt to have both a prefix-list for route
filtering and ACL for the uRPF exceptions. It's just that I am lazy and
thought it would be neat for one list to fulfill both requirements,
since it is essentially the same input data in two different formats.
How would uRPF respond to the following prefix-list?
ip prefix-list foo deny 0.0.0.0/0 ge 25
The implicit deny the end of the prefix-list seems a better way to
accomplish the same result as above (deny anything longer than /24). In
other words, instead use a prefix-list containing an explicit list of
the permitted networks, rather than pattern matching to deny what bad
stuff might be announced.
ip prefix-list foo permit 1.2.3.0/24
ip prefix-list foo permit 0.0.0.0/0 le 16
Would it accept all sources within 1.2.3.0/24? What about 10.0.0.0/8?
I guess it could ignore ge and le. Although how it would resolve
conflicts is an unknown. It might try to correspond to actual prefixes, but
that seems unlikely.
To restate above, just permit explicit networks customer plans to
announce source traffic from. Don't wildcard in customer prefix-lists
inbound. Every source packet address received should be covered by
his prefix-list (even if not the FIB entry best path choice). Every
other source IP address packet is dropped. In fantasy land, uRPF
could confirm that each packet source address matches at least one of
the networks in the prefix-list.
Yes, I think there are definitely legitimate reasons why a customer
would source traffic from prefixes where the actively selected route
does not point back at the interface. This is why acl exceptions and
the loose match came to be. With customers, the acl exception is
probably appropriate.
Would you agree it is indeed necessary for every BGP customer-facing
interface to implement exception checking with strict uRPF?
Customer-set communities can change local pref easily enough to break
strict uRPF lacking exception checking. But with the ACL permitting
exceptions based upon every possible network customer may be sourcing
from, the entry doesn't even have to be best path in the FIB to permit
the packet. Customer needed only to have gotten the ISP to include it
in his prefix-list at some point.
Re: Effective ways to deal with DDoS attacks?
Once upon a time, Richard A Steenbergen [EMAIL PROTECTED] said: Don't confuse the rantings of a nutcase and his T1 with useful information about DoS. I have to admit I like the direction the made up acronyms are going though, can we have MS-DOS next? :) You mean MicroSoft Denial Of Service? I think it is more commonly spelled O-U-T-L-O-O-K. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: anybody else been spammed by no-ip.com yet?
On Mon, 6 May 2002, Scott Francis wrote: On Sat, May 04, 2002 at 06:01:49PM -0600, [EMAIL PROTECTED] said: [snip] Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled). The major problem I see with this is the need to verify that the spamvertised site actually requested or paid for the spam. After all, what's to prevent me from spamming in the name of xyz.com just so I can see them shutdown? More importantly, you need evidence to shut a customer and being spamvertised alone is not necessarily sufficient. -Mike
Re: anybody else been spammed by no-ip.com yet?
On Tue, May 07, 2002 at 01:13:34AM -0400, Mike Joseph wrote: The major problem I see with this is the need to verify that the spamvertised site actually requested or paid for the spam. After all, what's to prevent me from spamming in the name of xyz.com just so I can see them shutdown? More importantly, you need evidence to shut a customer and being spamvertised alone is not necessarily sufficient. Just to say that this is not hypothetical, before we eventually got permanently whitelisted on spamcop, I would routinely get spamvertised website complaints on open source projects hosted on sourceforge.net Spammers would either list open source projects URLs in their spams for various reasons, or the spam would contain the URL of an open source project (like razor.sourceforge.net, squirrelmail.org, or something like that) The most distressing part is that all those reports were supposedly reviewed and approved by humans before being sent. Sigh... Marc -- Microsoft is to operating systems security what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger [EMAIL PROTECTED] for PGP key
