IMHO, it's not too bad if you do it at your edges. Explicit permits for valid source addrs is a well-known defense against source spoofing which of course also addresses the RFC1918 leakage issue to some degree. It's not that hard to incorporate this into customer installation and support processes. A lot more difficult to manage at the borders.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Tuesday, October 08, 2002 10:09 AM To: Joe Abley Cc: Kelly J. Cooper; nanog@merit.edu Subject: Who does source address validation? (was Re: what's that smell?)
On Tue, 8 Oct 2002, Joe Abley wrote:
What is difficult about dropping packets sourced from RFC1918 addresses before they leave your network?
I kind of assumed that people weren't doing it because they were lazy.
I've checked the marketing stuff of several backbones, as far as I could tell only one makes the blanket statement about source address validation on their entire network.
http://www.ipservices.att.com/backbone/techspecs.cfm
AT&T has also implemented security features directly into the backbone. IP Source Address Assurance is implemented at every customer point-of-entry to guard against hackers. AT&T examines the source address of every inbound packet coming from customer connections to ensure it matches the IP address we expect to see on that packet. This means that the AT&T IP Backbone is RFC2267-compliant.
What backbones do 100% source address validation? And how much of it is real, and how much is marketing? On single-homed or few-homed stub networks its "easy." But even a moderately complex transit network it becomes "difficult." Yes, I know about uRPF-like stuff, but the router vendors are still tweaking it.
If there is a magic solution, I would love to hear about it. Unfortunately, the only solutions I've seen involve considerable work and resources to implement and maintain all the "exceptions" needed to do 100% source address validation.
Heck, the phone network still has trouble getting the correct Caller-ID end-to-end.