Jon Kibler wrote:
Steve Bertrand wrote:
Jon Kibler wrote:
To answer that question, I would start with ingress and egress filtering by IP address, protocol, etc.: 1) Never allow traffic to egress any subnet unless its source IP address is within that subnet range. Sorry to nit, but shouldn't your uRPF setup take care of this (and many other of your list items), long before ACL?
It's absolutely great if you have your list implemented, but imho, all ISP's, no matter how small should investigate and implement urpf. It's especially fun to play with RTBH.
To be honest, the smaller you are, the easier it is to implement (ie. urpf strict everywhere! :)
Steve
Agree for the most part. However:
1) The overwhelming majority of routers I have audited do not have uRPF implemented and most admins do not comprehend it, but they do comprehend (usually) ACLs.
Fair enough. However, a considerable portion of my PE and CE gear consists of 2691's in which uRPF is enabled, so I'd have to wonder which hardware doesn't support it. Even my routers running FreeBSD/Quagga have it enabled. Aside from that, I truly did mean kudos for the poster for at least putting in the effort for configuring such an elaborate ACL setup :) As for the admins not comprehending it, imho, if someone is in a position of operating an Internet Provider network, particularly one that utilizes BGP, they need to comprehend it, if even just for the respect of the community. IIRC, it was about two weeks after I read Kumari's initial draft that I had it not only understood, but implemented. Even given the small scale that I am at, it really sucks when you see BOGON/your own prefixes ingress to your network. What's more upsetting, is when you have made more than one request to an upstream to stop it, and you get no response...at all.
2) L3 switching does not always support it, leaving potential for abuse if the network has any donut holes.
I didn't think of that angle. My experience with L3 switching is very limited. My understanding is though that most ops use L3 switching closer to the core (as opposed to the edge), where uRPF isn't needed anyhow.
3) uRPF works best on egress but does little on outside ingress (e.g., bogons).
Unless you have implemented an automated s/RT(BH|sink). Cymru bogons (learnt via peering) on a trigger box, pushed in through a route-map tagged with the null-route community to the PE. Works magic.
4) Defense in depth dictates using more than one way to detect an attack, so use both ACLs and uRPF.
I completely agree. Useful not only as depth, but to patch the holes where one can't implement strict uRPF due to a client having multiple peer-points within your network. Cheers, Steve