Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On 4/02/2009, at 2:43 PM, Steve Bertrand wrote:
Nathan Ward wrote:
On 4/02/2009, at 2:33 PM, Steve Bertrand wrote:
- Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6.
Don't advertise v4 prefixes in v6 sessions, keep them separate.
This entire discussion went off topic, in regards to bcp and filtering. Off-list, I had someone point out: http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 ...which is EXACTLY in line with what my end goal was originally, and by reading it, I feel as if I was getting there free-hand. This document helps standardize things a bit, and I will follow it to a certain degree, whether or not it is considered under the standards track, or IANA considers approving the request for the BGP Extended Communities Attribute. What really spooks me after the last week of research, is how easy it would be for a client under my control (or hosts under control of an attacker) to stage/originate an inconspicuous attack (to anywhere), using standard IDS insertion/evasion tactics (even via a tunnel) from hosts within a network bordering my AS. Just by manually viewing logs of ingress traffic, there are just too many holes. We're too small to mitigate a bandwidth-saturating attack inbound, but I can guarantee that I will ensure to the best of my ability that our network won't be part of any form of attack on yours. Thank you everyone, for all of the off, and on-list feedback. Steve
Steve Bertrand wrote:
This entire discussion went off topic, in regards to bcp and filtering.
Off-list, I had someone point out:
http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02
...which is EXACTLY in line with what my end goal was originally, and by reading it, I feel as if I was getting there free-hand. This document helps standardize things a bit, ..
This technique, and a whole lot more, may also be found in book form: Router Security Strategies: Securing IP Network Traffic Planes by Gregg Schudel and David J. Smith Cisco Press, December 2007 ISBN 978-1-58705-336-8 (paper-back) Don't expect to get through it in one sitting; it's ~600+ pages ;-) Michael
On Feb 4, 2009, at 2:52 AM, Steve Bertrand wrote:
If I understand this correctly, there will be a route entered on each edge router for all sources that are participating in a DDoS attack. Is anyone worried about TCAM usage if one of their customers gets hit with a larger DDoS attack? Add in our IPv6 and V4 multicast tables chewing up more TCAM space and things get even more dicy! For my part, I'd be worried if the overall IPv4 unicast route table got much larger than ~1million entries because our hardware-based routers might run out of TCAM and bring the whole network to a screeching halt.
On 7/02/2009, at 5:20 AM, Brad Fleming wrote:
On Feb 4, 2009, at 2:52 AM, Steve Bertrand wrote:
If I understand this correctly, there will be a route entered on each edge router for all sources that are participating in a DDoS attack. Is anyone worried about TCAM usage if one of their customers gets hit with a larger DDoS attack? Add in our IPv6 and V4 multicast tables chewing up more TCAM space and things get even more dicy!
For my part, I'd be worried if the overall IPv4 unicast route table got much larger than ~1million entries because our hardware-based routers might run out of TCAM and bring the whole network to a screeching halt.
Or more than 256k routes on a SUP2, or 192k/239K routes on a SUP720. We are at 285798 as of last CIDR report. So, I guess you should be worried.. now :-) -- Nathan Ward
participants (4)
-
Brad Fleming
-
Michael Butler
-
Nathan Ward
-
Steve Bertrand