Re: peering requirements (Re: DDOS anecdotes)
is the acl for large peers 2 known and loadable into routers?
no. not now, not ever.
i am not comfortable with the assumption that my peer must have similar agreements with all their peers. heck, if i did, then, aside from the business issues (you gonna force att/cw/sprint/uu/... how to coduct their peering policy?) how does all this bootstrap?
that's it. you've put your finger on the knot.
so we have two problems with this o we can't tell big peers how to conduct their business
maybe, maybe not. it depends on whether the cost of not doing it outweighs the cost of doing it. big peers are big because they run successful and for the most part profitable businesses. and sure as hell the cost of not doing this is going up quickly, while the cost of doing it is coming down slowly. (have the lines crossed yet? let's find out!)
o source filtering at high bandwidth
i consider this nonsoluable. some routers can already do it, but making the ownership and deployment of such routers be the minimum price of entry into the peering game is a fatal nonstarter of an idea. and the infrastructure for expressing netblock ownership in a way that could be used to build accurate and reliable filters (assuming the routers could load such filters and act on them at wire speed) isn't there. i think this way lies madness. source filtering is an edge problem, at current technology levels. but how to ensure that other people do it at THEIR edge is a separate problem from how to do it at YOUR edge. the former is social/economic, the latter is technical.
source filtering is an edge problem, at current technology levels. but how to ensure that other people do it at THEIR edge is a separate problem from how to do it at YOUR edge. the former is social/economic, the latter is technical.
you might not appreciate the adjectives which come to mind when you suggest that i try social engineering to make others do what i suspect not to be technically achievable. randy
At 14:52 26/06/01 -0700, Paul A Vixie wrote:
o source filtering at high bandwidth
i consider this nonsoluable. some routers can already do it, but making the ownership and deployment of such routers be the minimum price of entry into the peering game is a fatal nonstarter of an idea. and the infrastructure for expressing netblock ownership in a way that could be used to build accurate and reliable filters (assuming the routers could load such filters and act on them at wire speed) isn't there. i think this way lies madness.
source filtering is an edge problem, at current technology levels. but how to ensure that other people do it at THEIR edge is a separate problem from how to do it at YOUR edge. the former is social/economic, the latter is technical.
I have found a fairly easy way to make this start happening. When putting out an RFI/RFP for some Internet connectivity/Web hosting/VPN/etc. - in addition to putting in the obvious rtt minimums, SLAs, OC-48 backbones, 24x7 NOCs, etc. I have started to include the following: - anti-spoofing source filtering Even if the ISP can't do it - the sales and marketing people are now driving the change process. The more RFI/RFPs that ISPs see that contain such a mandatory section, the more the network will become a better place to live. There are more than enough consultants/people on this list that can drive this process very quickly. -Hank PS I also include "human response to abuse@ email within 24 hours" :-)
participants (3)
-
Hank Nussbacher -
Paul A Vixie -
Randy Bush