Phil Howard wrote:
Jon Lewis wrote:
This might not be allowed under existing service contracts. Most providers probably have provisions to disconnect for network abuse...but not for cluelessness.
Then we need to re-classify having an open broadcast amplifier as an abuse. If we can get upstreams and backbones to give a formal 30 day notice, then start cutting lines ...
I think this could easily be classified as abuse or abuse through negligence (reckless endangerment?). Provider contracts should specify that downstreams must deal with ingress filtering and must ensure their networks will not respond to directed broadcasts from outside.
OTOH, what about just declaring that X.X.X.{0,255} is off limits regardless of the network size? It would take just 2 access list entries to make those addresses in networks larger than /24 to be mostly useless. There aren't that many LANs out there that would have real non-broadcast use on these addresses, anyway. I block these coming in to my network as destinations, and I'm tempted to block them as sources, as well. Once these addresses are indeed off limits, then the next step is to get backbones to put in the access lists.
No. This is not a good plan. There are indeed networks out there with supernetted LANs. I consult for a large research institution which uses /22 masks for all subnets, and heavily uses them. The chances of clobbering perfectly legitimate addresses is real. Beyond this, there are plenty of /25 networks that'll do a perfectly good job of playing smurf-amplifier. The solution isn't to apply access lists. The proper answer to this is to disable directed broadcasts on the routers themselves. It'd be helpful if routers came out of the box with this feature disabled by default. Perhaps folks should talk with their router vendors of choice and ask for this change. I have submitted a draft into the IETF process to require this change, updating RFC 1812 (router requirements). Unfortunately directed broadcasts, like ingress filtering, are items that have to be properly dealt with at the edges of the network. I do wonder if we will start seeing network providers' legal departments start taking notice of the situation. Negligence in operating a network and becoming an unwitting accessory to a crime might raise the level of urgency in getting folks to address both ingress filtering and directed broadcast issues. I would prefer to see this handled by the technical folks without getting the legal types into the fray, but worry that some will not take the urgency to heart. -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com