On Wed, 28 Mar 2001, David Schwartz wrote:
We are not talking about a firewall. We are not talking about a military installation. We are talking about our customers, and we should be taking an 'innocent until proven guilty' approach with them whenever it is reasonably possible to do so.
What's wrong with writing it into the contract that you only let packets pass out of their network with source addresses that you've assigned them? You could also state that you will let other networks out as they see fit.
There are some cases where it certainly isn't possible to do so. BGP route filtering is a great example.
Yes, so is filtering packets with forged source addresses.
An unfiltered connection could allow a misconfigured customer to do massive amounts of damage very quickly. That's not tolerable.
Note how this applies to filtering source IPs.
Perhaps youa re using the term "filtering" differently from the way I am. When I say "filtering", I'm referring to blocking. Logging and analyzing is wonderful. Filtering is neutral (can be good or bad depending upon many factors).
OK, so one of your customers, who is being 'watched' but not filtered has all 30 of his Linux boxes rooted. He then proceeds to launch a massive DOS attack against me. I guess you'd notice this when it's convenient? Or do you have an intricate log-watching utility that will page you out of bed. I can't call you, because I don't know where the traffic is really coming from.
This is a level of service issue. If you want, you can coerce your customers to pre-arrange what IPs they can use on your service. This may make things harder for their customers, but you can do it if you want to. Fine with me, I don't care. (But think long and hard before coercing your customers into an arrangement you yourself couldn't live with.)
If they know enough to be talking BGP with two providers, they likely know enough to tell you what the IPs they are announcing are. Why is it such a big deal to simply put "sanity filters" on? This argument seems to be drawn between 'those who've been attacked from a non-filtered connection' and 'those who haven't been attacked by same'. Charles [...]
DS