michael.dillon@bt.com wrote:
matsuzaki-san's preso, i think the copy he will present next week at apops:
To summarize, using /64 on a link opens the door to a DOS problem that we need to pressure the vendors to fix.
How is this not an obvious 'duh' kind of situation that just depends on doing ones configuration correctly? A similar problem occurs when one assigns a /48 down the P2P link and the downstream user has a default route back upstream but doesn't route the /48 to a loopback, but only routes a part of it (eg a /64 or two). eg: { Internet} - { ISP } - { p2p-link } - { customer } - { c1 } \ { c2 } p2p-link = 2001:db8:1000::/64 (::1 == ISP, ::2 == Customer) customer = 2001:db8:2000::/48 via 2001:db8:1000::2 c1 = 2001:db8:2000:1::/64 c2 = 2001:db8:2000:1::/64 Packets from $internet to 2001:db8:2000:1234::1 will travel down to the customer, who routes it with it's default back up to the p2p-link, where your correctly configured box will see a source address of $internet and icmp admin reject it because that is an invalid source address. Indeed the packet will bounce back up and a third packet (the icmp) will be sent thus you have an amplification of 3x, but who cares? that is at the customer link, they should configure that link correctly, and they are paying you for that link anyway -> their problem, your cash $$$ :) RPF saves the day here yet again. Remember boys and girls to configure at least your boxes correctly, don't trust other people to do the same ;) There are various number of "ISP's" who of course don't do this and which allow full spoofing from any prefix as they don't do RPF or even something simple as a "source != 2001:db8::/32" or whatever they have as their own prefix on their core routers. There of course also "ISP's" which think they are transits and tunnel to everybody they can find, these "ISP's" then of course also don't do any spoofing-filtering and generally have 'customers' that exhibit the same problem, as those just set a default back upstream. Take a small guess how easy it is to take those networks off the Internet.... better start fixing that broken setup ;) Greets, Jeroen