subject:"RE\: what's that smell\?"

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-13 Thread Doug Barton



On Tue, 8 Oct 2002, Iljitsch van Beijnum wrote:

 Ok, but how do you generate megabits worth of traffic for which there is
 no return traffic? At some level, someone or something must be trying to
 do something _really hard_ but keep failing every time. It just doesn't
 make sense.

I could show you VOLUMES of name server logs for people doing things that
could never possibly succeed, over and over and over again. My favorite
are the people who try to use my authoritative name servers as resolvers.
No one at my company can recall a time that our auth. name servers EVER
allowed recursion.

My point is simply that we shouldn't underestimate the stupidity of the
masses, and anything that can be done to improve things, should be. Of
course, the problem in this thread is the varying definitions of
improve.

Doug

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-11 Thread Stephen J. Wilcox



On Thu, 10 Oct 2002, Greg A. Woods wrote:

 [ On Thursday, October 10, 2002 at 11:53:18 (-0400), Richard A Steenbergen wrote: ]
  Subject: Re: Who does source address validation? (was Re: what's that smell?)
 
  
  I'm sure we can all agree on at least the concept that sourcing packets
  from an address which cannot receive a reply is at least potentially
  useful, for example to avoid DoS against a critical piece of
  infrastructure. Would it make people feel better if there was a specific
  seperate non-routed address space reserved for router generated messages
  which don't want replies? Why?
 
 Why not just use 127.0.0.1?!?!?!?!?

and thats different from rfc1918 because?

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-10 Thread Richard A Steenbergen



On Thu, Oct 10, 2002 at 01:06:15AM -0400, [EMAIL PROTECTED] wrote:
 On Wed, 09 Oct 2002 23:05:59 BST, Stephen J. Wilcox said:
 
  On a related issue (pMTU) I recently discovered that using a link with MTU 
  1500 breaks a massive chunk of the net - specifically mail and webservers who
  block all inbound icmp.. the servers assume 1500, send out the packets with DF
 
 My personal pet peeve is the opposite - we'll try to use pMTU, some
 provider along the way sees fit to run it through a tunnel, so the MTU
 there is 1460 instead of 1500 - and the chuckleheads number the tunnel
 endpoints out of 1918 space - so the 'ICMP Frag Needed' gets tossed at
 our border routers, because we do both ingress and egress filtering.  
 It's bad enough when all the interfaces on the offending unit are
 1918-space, but it's really annoying when the critter has perfectly good
 non-1918 addresses it could use as the source... Argh...

Ok, I know how this manages to rile people up, but might I suggest that
you brought it upon yourself?

There is a time and a place for messages sourced from addresses to which
you cannot reply, and a time and place where those messages should not
exist. Obviously, a dns *QUERY* is not the place for a message which
cannot be returned. But what about an ICMP *RESPONSE*? Nothing depends
upon the source address of the IP header for operation, the original
headers which caused the problem are encoded in the ICMP message.

And yet people are so busy concerning themselves with this mythical thing
which might break from receiving ICMP overlapping existing internal 1918
space, the extra 0.4% of bandwidth which might be wasted, and the
righteous feeling that they have done something useful, that they don't
stop to realize *THEY* are the ones breaking PMTU-D.

I'm sure we can all agree on at least the concept that sourcing packets
from an address which cannot receive a reply is at least potentially
useful, for example to avoid DoS against a critical piece of
infrastructure. Would it make people feel better if there was a specific
seperate non-routed address space reserved for router generated messages
which don't want replies? Why?

Even Windows 2000+ includes blackhole detection which will eventually
remove the DF bit if packets aren't getting through and ICMP messages
aren't coming back, something many unixes lack. But the heart of the
problem is that people still push packets like every one must include the
maximum data the MTU can support. Do we have any idea how much network
suffering is being caused by that damn 1500 number right now? Aside from
the fact that it is one of the worst numbers possible for the data, it
throws a major monkey wrench in the use of tunnels, pppoe, etc. Eventually
we will realize the way to go is something like 4096 data octets, plus
some room for headers, on a 4470 MTU link. But if the best reason we can
come up with is ISIS, the IEEE will just keep laughing.

/rant

-- 
Richard A Steenbergen [EMAIL PROTECTED]   http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-10 Thread Iljitsch van Beijnum



On Thu, 10 Oct 2002, Richard A Steenbergen wrote:

 Even Windows 2000+ includes blackhole detection which will eventually
 remove the DF bit if packets aren't getting through and ICMP messages
 aren't coming back, something many unixes lack.

Wow, now I'm impressed. And what about the 1999 other versions of Windows?
This is hardly a new problem. Still, it's good that some people at least
make progress, even if very slowly.

 But the heart of the
 problem is that people still push packets like every one must include the
 maximum data the MTU can support.

And why not?

 Do we have any idea how much network
 suffering is being caused by that damn 1500 number right now? Aside from
 the fact that it is one of the worst numbers possible for the data, it
 throws a major monkey wrench in the use of tunnels, pppoe, etc.

So don't use those.

 Eventually
 we will realize the way to go is something like 4096 data octets, plus
 some room for headers, on a 4470 MTU link.

So what then if someone runs a secure tunnel over wireless over a PPPoE
over ADSL using mobile IPv6 that runs over a tunnel or two ad nauseum
until the headers get bigger than 374 bytes? Then you'll have your problem
right back. Might as well really solve it the first try.

One of the problems is that there is no generally agreed on and widely
available set of rules for this stuff. Setting the DF bit on all packets
isn't good, but it works. Using RFC1918 space to number your tunnel
routers isn't good, but it works. Filtering validating source addresses on
ingress is good, but hey, it doesn't work!

Making a good list of best practices (and then have people widely
implement them) might also go a long way towards showing concerned parties
such as the US administration that the network community consists of
responsible people that can work together for the common good.

 But if the best reason we can
 come up with is ISIS, the IEEE will just keep laughing.

Why is the IEEE laughing?

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-10 Thread Jared Mauch



On Thu, Oct 10, 2002 at 06:36:33PM +0200, Iljitsch van Beijnum wrote:
 So what then if someone runs a secure tunnel over wireless over a PPPoE
 over ADSL using mobile IPv6 that runs over a tunnel or two ad nauseum
 until the headers get bigger than 374 bytes? Then you'll have your problem
 right back. Might as well really solve it the first try.

This is a problem that would be solved by everyone being
responsible and doing pmtud properly.

 One of the problems is that there is no generally agreed on and widely
 available set of rules for this stuff. Setting the DF bit on all packets
 isn't good, but it works. Using RFC1918 space to number your tunnel
 routers isn't good, but it works. Filtering validating source addresses on
 ingress is good, but hey, it doesn't work!

I think we're starting to get at the heart of the problem
but let me stick my neck out and say it:

Registries (APNIC, ARIN, RIPE, usw) charge for ip addresses.
be it via a lease/registration fee, it's a per-ip charge that ISPs must
get via some means out of their subscribers.  (Unless people
don't care about money that is).  Back in the days, one could
obtain ip addresses from Internic saying i will not connect
to internet, i intend to connect at some later date in a
year or two .. (or similar), i intend to connect now.

People number out of 1918 space primarily for a few
reasons, be them good or not:

1) Internal use
2) Cost involved.. nobody else needs to telnet to my p2p
links but me, and i don't want to pay {regional_rir} for my
internal use to reduce costs
3) security of not being a publicly accessible
network.

This can break many things, pmtu, multicast and various
streaming (multi)media applications.

With the past scare of we'll be out of ip addresses by 199x
still fresh in some peoples memories, they in their good consience decided
to also conserve ips via this method.

The problem is not everyone today that considers themselves
a network operator understands all the ramifications of their current
practices, be they good or bad.

Going into fantasy-land mode, if IPv6 addresses were instantly
used by everyone, people could once again obtain ips that could be
used for internal private use yet remain globally unique, therefore
allowing tracking back of who is leaking their own internal sources.


 Making a good list of best practices (and then have people widely
 implement them) might also go a long way towards showing concerned parties
 such as the US administration that the network community consists of
 responsible people that can work together for the common good.

I agree here, I personally think that numbering your internal
links out of 1918 space is not an acceptable solution unless it's
behind your natted network/firewall and does not leak out.

Perhaps some of those that are the better/brighter out there want
to start to write up a list of networking best practices.

Then test those book smart ccie/cne types with the information
to insure they understand the ramifications.  a few good whitepapers
about these might be good to include or quiz folks on.  i suspect
there's only a handful of people that actually understand the complete
end-to-end problem and all the ramifications involved as it is quite
complicated.

  But if the best reason we can
  come up with is ISIS, the IEEE will just keep laughing.
 
 Why is the IEEE laughing?

The implication is that IEEE will not change the 802.x specs
to allow larger [default] link-local mtu due to legacy interop
issues.  imagine your circa 1989 ne2000 card attempting to process
a 4400 byte frame on your local lan.  a lot of the cheap ethernet
cards don't include enough buffering to handle such a large frame
let alone the legacy issues involved.. and remember the enterprise
networks have a far larger number of ethernet interfaces deployed
than the entire internet combined * 100 at least.  any change
to the spec would obviously affect them also.

- jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Paul Vixie



[EMAIL PROTECTED] (Sean Donelan) writes:

 If there is a magic solution, I would love to hear about it.
 
 Unfortunately, the only solutions I've seen involve considerable work and
 resources to implement and maintain all the exceptions needed to do 100%
 source address validation.

I had no idea this was so hard.  I guess the people who maintain AS3557 (or
AS6461 for that matter) do such a job of making this _look_ easy that I just
naturally thought it _was_ easy.  Forgive my simple minded approach, if it
really is simple minded, but... any given interface or peering session or
whatever is either customer facing, peer/transit facing, or a trunk which
leads ultimately to more customer AND more peer/transit facing interfaces
elsewhere in the network.  On customer-facing connections, there's a short
list of things they should be allowed to say as IP source addresses.  (They
might be multihomed but chances are low that you want them giving transit
to other parts of the network through you, no matter whether you do usage
sensitive billing or not.)  On transit/peer facing connections, there's a
short list of things they should NOT be allowed to send from (your own
customers, chiefly) and a short list of things you should NOT be allowed to
send them from (RFC1918 being the big example.)

Because F-root's network operator was filtering out inbound RFC1918-sourced
packets, I could only see them at C-root.  Now, F-root can also see them, so
I can once again collect stats from (and complain about stats from) both.

RFC1918 routes are allowed to float around inside AS3557, by the way, since
customers use them for VPN purposes.  So we don't filter out ingress 1918
from customer-facing interfaces; instead we filter out egress 1918 toward
our peers/transits.

Like I said, I had no idea this was generally thought to be so complicated.
-- 
Paul Vixie

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Paul Vixie



[EMAIL PROTECTED] (Sean Donelan) writes:

 If c.root-servers.net provider did this, they wouldn't see any RFC1918
 traffic because it would be dropped at their provider's border routers.

Right.  But then I wouldn't be able to measure it, which would be bad.

 If c.root-servers.net provider's peer did this, again c.root-servers.net
 provider wouldn't see the rfc1918 packets.

This is the single case where not being able to measure/complain would be OK,
because the problem wouldn't be in the core, it would be (correctly) stopped
at the source-AS.

 So why doesn't c.root-servers.net provider or its peers implement this
 simple solution?  Its not a rhetorical question.  If it was so simple,
 I assume they would have done it already.

C-root's provider is also C-root's owner, and they have offerred to shut this
traffic off further upstream, as F-root's network operators were doing until
yesterday, but I asked that it not be filtered anywhere except C-root itself
(where I can measure it) or distant source-AS's (which is where it makes
sense.)
-- 
Paul Vixie

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Sean Donelan

On Tue, 8 Oct 2002, John M. Brown wrote:
Simulation models I've been running show that an average of 12 to 18 percent
of a providers traffic would disappear if they filtered RFC-1918 sourced
packets. The percentage ranges scale with the size of the provider.
Smaller providers, less impact, larger providers more impact.

In addition to the bandwidth savings, there is also a support cost
reduction and together, I believe backbone providers can see this
on the bottom line of their balance sheets.

Testing a couple of years ago on a widely used router vendor's
implementation of uRPF showed in certain pathalogical cases a 50%
throughput hit when uRPF was turned on. Even a single line access
list permit ip any any had a throughput hit on certain platforms.

http://www.nc-itec.org/archive/URPF/Unicast%20RPF%20Test%20Results%20Summary%20-%20performance%20assessment%20v0.2.pdf

Whether this is still true, the legend lives on. A 20% throughput hit
won't be offset by a 12 to 18 percent bandwidth savings. Especially on
heavily loaded circuits. Some network engineers are reluctant to do any
type of packet filtering (uRPF or ACL based) because of the belief it will
hurt performance (latency, throughput, etc).

While I think its a good idea, and generally do it on any network I design
from scratch; so far you really haven't given me much ammo to convince
people to change what is already working for them.

Going back to the IBM/Ahmdal mainframe days, the traditional requirement
to get people to change was it needed to be 30% cheaper or 30% better.
Anything less, and it was usually wasn't worth the effort of making the
change, especially if the current system didn't have a visible problem.

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Stephen J. Wilcox



On Tue, 8 Oct 2002, Greg A. Woods wrote:

 [ On Tuesday, October 8, 2002 at 22:34:51 (+0100), Stephen J. Wilcox wrote: ]
  Subject: Re: Who does source address validation? (was Re: what's that smell?)
 
  
  So I guess you may argue block RFC1918 tcp inbound but icmp and udp .. you start
  to break things, perhaps that is why large providers dont do this on backbone
  links.
 
 Such things REALLY _NEEED_ to be broken, and the sooner the better as
 then perhaps the offenders will fix such things sooner too, because they
 are by definition already broken and in violation of RFC 1918 and good
 common sense.

Ok but real world calling. I have tried this and when customers find something
doesnt work on your network but it does on your competitor you make it work even
if that means breaking rules.

You've snipped the other comments from my email which goes on to say take any
RFC for a protocol eg POP, SMTP etc and look at whats actually being done with
it, most commonly look at how Microsoft have implemented it or what the big ISPs
are doing on their servers etc and you either tow the line or your service
suffers.

Steve

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Joe Abley




On Wednesday, Oct 9, 2002, at 11:36 Canada/Eastern, Stephen J. Wilcox 
wrote:

 On Tue, 8 Oct 2002, Greg A. Woods wrote:

 Such things REALLY _NEEED_ to be broken, and the sooner the better as
 then perhaps the offenders will fix such things sooner too, because 
 they
 are by definition already broken and in violation of RFC 1918 and good
 common sense.

 Ok but real world calling. I have tried this and when customers find 
 something
 doesnt work on your network but it does on your competitor you make it 
 work even
 if that means breaking rules.

What services require transport of packets with RFC1918 source 
addresses across the public network?

I can think of esoteric examples of things it would be possible to do, 
but nothing that a real-world user might need (or have occasion to 
complain about).

Do you have experience of such breakage from your own customers? It 
would be interesting to hear details.


Joe

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread David Schwartz




Ok but real world calling. I have tried this and when customers find
something
doesnt work on your network but it does on your competitor you make it
work even
if that means breaking rules.

What services require transport of packets with RFC1918 source
addresses across the public network?

I can think of esoteric examples of things it would be possible to do,
but nothing that a real-world user might need (or have occasion to
complain about).

Do you have experience of such breakage from your own customers? It
would be interesting to hear details.

Loss of ICMP packets generated by links with endpoints numbered in RFC1918
space. Holes in traceroutes, broken PMTU detection.

DS

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Sean Donelan




On Wed, 9 Oct 2002, Joe Abley wrote:
 What services require transport of packets with RFC1918 source
 addresses across the public network?

 I can think of esoteric examples of things it would be possible to do,
 but nothing that a real-world user might need (or have occasion to
 complain about).

 Do you have experience of such breakage from your own customers? It
 would be interesting to hear details.

Check the archives, its been covered every time this issue has come up...

   a. Intra-provider links using RFC1918 addresses and MTU changes/PMTU
discovery
   b. Traceroutes TTL exceeded packets across RFC1918 intra-provider links

People used to have lots of problems with Home customers trying to access
their websites if their filtered RFC1918 addresses using large MTU
connected servers (i.e. non-ethernet).  Ok, so Home is out of business,
but I'm sure there are other similar cases which would break.

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Stephen Stuart

 Loss of ICMP packets generated by links with endpoints numbered in RFC1918 
 space. Holes in traceroutes, broken PMTU detection.

Sherman, set the Way-Back Machine for August:

To: David Schwartz [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: NSPs filter? 
In-reply-to: Your message of Thu, 08 Aug 2002 17:57:35 PDT.
 [EMAIL PROTECTED]@whenever 
Date: Thu, 08 Aug 2002 18:45:17 -0700
From: Stephen Stuart [EMAIL PROTECTED]

In August you said it this way:

   One thing that sometimes comes up is that people do number links using 
 RFC1918 address space which occasionally results in an ICMP 'fragmentation 
 needed but DF bit set' packet with an RFC1918 source address. Filtering out 
 this packet could result in TCP breaking.

I still say this:

That can be accomodated; behold, all the joy of PMTUD, with none of
the other crap from designated special-use address space:

firewall {
family inet {
filter external-filter {
term allow-icmp-unreach {
from {
protocol icmp;
icmp-type unreachable;
icmp-code fragmentation-needed;
}
then {
count allow-icmp-need-frag;
accept;
}
}
term allow-icmp-timxceed {
from {
protocol icmp;
icmp-type time-exceeded;
icmp-code [ ttl-eq-zero-during-transit 
ttl-eq-zero-during-reassembly ];
}
then {
count allow-icmp-timxceed;
accept;
}
}
term deny-rfc1918 {
from {
source-address {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
}
then {
count deny-rfc1918;
discard;
}
}
term deny-test {
from {
source-address {
192.0.2.0/24;
}
}
then {
count deny-test-net;
discard;
}
}
term deny-autoconfig {
from {
source-address {
169.254.0.0/16;
}
}
then {
count deny-autoconfig;
discard;
}
}
term LAST {
then accept;
}
}
}
}

Application is left as an exercise to the reader.

Stephen

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread alex



 Do you have experience of such breakage from your own customers? It
 would be interesting to hear details.
 
   Loss of ICMP packets generated by links with endpoints numbered in RFC1918
 space. Holes in traceroutes, broken PMTU detection.

Why do those links have endpoints in RFC1918 space to begin with?

Alex

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Paul Vixie



 Just out of interest how do you co-ordinate use of RFC 1918 addresses
 and routes amongst your customers?  Do you run a registry for them, or
 do you just let them fight it out and the one with the biggest packets
 wins or something like that?

there's a registry.  we also maintain IN-ADDR zones for them and 
encourage the use of stub zones in customer name servers in order
to direct their queries toward the local RFC1918 registry.

now, i'll admit that it took almost two hours to get this working
initially, and almost a week for it to settle down, and that the
network is small -- only about 50 customers.  but for the last
few years no RFC1918-sourced traffic, nor any RFC1918-IN-ADDR DNS
query, has egressed from this network.  it can't be THAT hard.

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Stephen J. Wilcox



On Wed, 9 Oct 2002, Joe Abley wrote:

 
 
 On Wednesday, Oct 9, 2002, at 11:36 Canada/Eastern, Stephen J. Wilcox 
 wrote:
 
  On Tue, 8 Oct 2002, Greg A. Woods wrote:
 
  Such things REALLY _NEEED_ to be broken, and the sooner the better as
  then perhaps the offenders will fix such things sooner too, because 
  they
  are by definition already broken and in violation of RFC 1918 and good
  common sense.
 
  Ok but real world calling. I have tried this and when customers find 
  something
  doesnt work on your network but it does on your competitor you make it 
  work even
  if that means breaking rules.
 
 What services require transport of packets with RFC1918 source 
 addresses across the public network?

None afaik which is why they should be blocked - on ingress from customer links.
Dont get me wrong, I'm just sharing experience not ethics and saying we should
all adhere to the RFC but if you apply filters that assume others are also doing
so you may be surprised..

Without repeating myself or list archives its all very well strictly following
all the RFC guidelines and saying to tell the planet its Microsoft or Home's
fault its not working but the customers really dont buy it and they will go
elsewhere and it mightnt be about corporate $$$s but those same $$$s pay your
wages and then it starts to hurt!

 I can think of esoteric examples of things it would be possible to do, 
 but nothing that a real-world user might need (or have occasion to 
 complain about).

On a related issue (pMTU) I recently discovered that using a link with MTU 
1500 breaks a massive chunk of the net - specifically mail and webservers who
block all inbound icmp.. the servers assume 1500, send out the packets with DF
set, they hit the link generating an icmp frag, icmp is filtered and data
stops. Culprits included several major ISP/Telcos ... I'd love to tell the
customer the link is fine its the rest of the Internet at fault but in the end I
just forced the DF bit clear as a temp workaround before finally swapping out to
MTU 1500!

 Do you have experience of such breakage from your own customers? It 
 would be interesting to hear details.

I did attempt strict ingress filtering at borders after a DoS some time ago, I
figured I'd disallow any non public addresses. I took it off within a day after
a number of customers found a whole bunch of things had stopped working...

Unfortunately I cant give you an example as this was a while back and I dont
have the details to hand. 

But if anyone with an appreciable sized customer base wants to try implementing
such filters feel free to forward the customer issues to the list as references!

Steve

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread David Schwartz




On Wed, 9 Oct 2002 15:53:40 -0400 (EDT), [EMAIL PROTECTED] wrote:

Do you have experience of such breakage from your own customers? It
would be interesting to hear details.

Loss of ICMP packets generated by links with endpoints numbered in
RFC1918
space. Holes in traceroutes, broken PMTU detection.

Why do those links have endpoints in RFC1918 space to begin with?

Alex

Because some administrators are ignorant, clueless, or malicious. We don't
all have the luxury of saying, It doesn't work on our network and it does on
our competitor's, and we could fix it if we wanted to at no significant harm
to us, but we won't because we are in the right.

DS

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread alex



 would be interesting to hear details.
 
 Loss of ICMP packets generated by links with endpoints numbered in
 RFC1918
 space. Holes in traceroutes, broken PMTU detection.
 
 Why do those links have endpoints in RFC1918 space to begin with?
 
 Alex
 
   Because some administrators are ignorant, clueless, or malicious. We don't
 all have the luxury of saying, It doesn't work on our network and it does on
 our competitor's, and we could fix it if we wanted to at no significant harm
 to us, but we won't because we are in the right.

In that case you should not complain about 1918 space being used for say..
attacking you either. After all, it does work on the network of your
competitors.

ALex

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Stephen Gill

Though
the docs arent indexed in the web search tool yet, JUNOS 5.5 adds the
ability to perform loose uRPF now.

[edit int name unit 0 family
inet]

set rpf-check mode loose

Watch
for wrapping

http://www.juniper.net/techpubs/software/junos/junos55/swconfig55-interfaces/download/swconfig55-interfaces.pdf

Cheers,

--
steve

Date:
Tue,
8 Oct 2002 12:29:48
-0400

From:
Jared Mauch
[EMAIL PROTECTED]

Subject:
Re: Who does source address validation? (was Re:
what's that smell?)

On
Tue,
Oct 08, 2002 at 10:15:28AM
-0600, Danny McPherson wrote:

reachable-via any means you're only going to drop the packet
if you

don't have *ANY* route back to them.

What's a route? An
IP RIB instance? A BGP Loc-RIB instance?
An IGP LSDB

IP prefix entry?
A BGP Adj-RIB-In instance?

I think you mean if you don't have *ANY* **FIB** entry for the

source address.

If I peer with two large providers on the same router and both

have prefix D.1 behind them and advertise the prefix to me, it's

likely that only one of those two paths is going to
make it into

the BGP Loc-RIB (and subsequently, the IP RIB then
FIB).

If I use ANY FIB entry as proof that it's a valid source then

that only addresses RFC1918ish space and only suggest
that I

first need to generate an invalid BGP route for the
prefix, then

spoof the packets. This doesn't fix
spoofing with global IP

addresses.

If I use only entries that occur in the RIB and associate them

with the receiving interface and receive a packet with
an SA of

D.1 from the peer whose path wasn't installed in the BGP

Loc-RIB then I'll drop it. (And
there's nothing broken with

this configuration -- it's why we have routers with 1
million

BGP paths but only 150K routes/fib entries, as I'm sure you

know).

If you're going to do source address validation then you need

to associated all potential valid paths for a given
prefix with

the associated ingress interface, else it's mostly
useless.

Yes, but if i continue in my ideal situation of people

(mostly) filter their bgp
customers, so they won't announce the

1918 space, or similar. even the large
peers filter out each other

so
they don't pick up 1918 announcements.
Plus people use Robs

Secure
IOS Template to drop extraneous bgp
announcements for

unregistered/unassigned
space (from IANA).

I'm not
purporting this as a solution to all problems on

the
internet, but if one walks before one runs this is a reasonable

step in
the correct direction. Or at least a nice bandaid (duct tape?)

to
help keep the network in a bit more sensible shape. And if everyone

did
it, it would help with the orignal problem/statistics
posted about

how
much 1918 space was hitting one specific root server.

I am interested
in hearing other solutions to the problem

including
extra validations such as the above, but those aren't

avalable
today and what i'm suggesting is in the 12.0S and
12.1E

IOS images and probally
others.

- Jared

-
--

Jared
Mauch |
pgp key available via finger from
[EMAIL PROTECTED]

clue++; | http://puck.nether.net/~jared/ My statements are only mine.

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Valdis . Kletnieks


On Wed, 09 Oct 2002 23:05:59 BST, Stephen J. Wilcox said:

 On a related issue (pMTU) I recently discovered that using a link with MTU 
 1500 breaks a massive chunk of the net - specifically mail and webservers who
 block all inbound icmp.. the servers assume 1500, send out the packets with DF

My personal pet peeve is the opposite - we'll try to use pMTU, some provider
along the way sees fit to run it through a tunnel, so the MTU there is 1460
instead of 1500 - and the chuckleheads number the tunnel endpoints out of
1918 space - so the 'ICMP Frag Needed' gets tossed at our border routers,
because we do both ingress and egress filtering.  It's bad enough when all
the interfaces on the offending unit are 1918-space, but it's really annoying
when the critter has perfectly good non-1918 addresses it could use as
the source... Argh...
-- 
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech




msg06006/pgp0.pgp
Description: PGP signature

Re: Who does source address validation? (was Re: what's that smell?)

2002-10-09 Thread Steve Francis



[EMAIL PROTECTED] wrote:
 
 My personal pet peeve is the opposite - we'll try to use pMTU, some
 provider
 along the way sees fit to run it through a tunnel, so the MTU there is
 1460
 instead of 1500 - and the chuckleheads number the tunnel endpoints out
 of
 1918 space - so the 'ICMP Frag Needed' gets tossed at our border
 routers,
 because we do both ingress and egress filtering.  
That's not terribly hard to overcome - allow icmp unreachables (from any 
source) in your acl,  then deny all traffic from RFC 1918 addresses, 
then the rest of the ACL.

Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up 
with all the functionality, and almost none of the bogus traffic.

74 matches

Mail list logo