In a previous e-mail, alex@nac.net said:
My question is, why don't larger upstream providers use CEF-CAR (assuming that most use this) do the same to limit the effect of smurf attacks on thier (and subsequently, thier customers') networks?
There are several issues with doing this, any one of which might prevent a provider from using it. 1) Can't run CEF. There are some situations under which CEF causes problems. The good news is these are getting to be fewer and fewer every day, but as recently as 6 months ago it would regularly crash routers with some line cards under heavy loads. I expect this reason to disappear completely within another 6 months. Also, in the can't run catagory there are some (usually smaller) providers still using 7000's, 4000's, and other (dare I say even 2501's?) for customer attach. 2) Can't spare the CPU. Sometimes this has to do with the load of CAR, although generally I expect this is due to other things. If you have 150-200 T1 customers on a 7513 (easy to get with CT3 cards) and you run BGP to even just 25% of them, and you still have RSP2's then you probably don't have CPU to even think about giving to CAR, no matter how little it uses. 3) Can't manage it. Providers are understaffed with clueful people. That's a universal truth. If you have 1000 customers, that's 1000 CAR entries to make, 1000 people who may ask why packets get dropped when they do some ICMP thing, 1000 people who might bug you to change to access list parameters. When you have a lot of customers it's probably best to make an all or nothing decision, one off's in large networks tend to make junior engineers make mistakes when they don't understand what's really going on. 4) Don't care. I don't mean this in shallow "screw the customer" way. Rather, if you're a large provider and you provide service to a small provider who's being smurfed you might assume the small provider did something to prevoke the attack, and as such the burden should be on them to track down the sources and report them so they can be perminantly shut off. If it doesn't saturate your links and your routers it's not your problem. 5) It's none of their business. This one works people up. The logic goes like this. If my provider CAR's ICMP automatically, why don't they also CAR porn automatically, so it's only a little traffic. Oh, and SPAM, that should be CAR'ed to help reduce it. All e-mail to and from a competitor, that should be CAR'ed really low.... It's a dangerous road to go down. My $0.02 is I would be very upset if my provider automatically put any sort of "filter" (including CAR) on my links. I do think it is reasonable for them to make whatever effort they can to help me if I get smurfed though. The effort may be CAR, it may be simple filtering, it may be a legitimate "our routers can't take it". -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org