filtering spoofed addresses cheaply
There has been a fair amount of discussion about where and how to filter spoofed IP Source addresses. I don't understand why this is considered so hard. Let me tell you about what Merit did nearly 15 years ago.... Every NAS (they were called SCPs in those days) knows the address assigned to each link. So, Merit code just replaced the incoming IP Source field with the known address, before calculating the IP Header checksum. Spoofed addresses -> packets discarded with bad checksum. Simple. Elegant. No additional CPU. We merely want the same thing to happen BY DEFAULT on every dial-up link. Listening Lucent/Livingston? Ascend? Et alia? Now, the ethernet spoof detection is a little harder, but since each interface is already configured with an address and subnet prefix length (or mask), every interface should simply discard all incoming packets with an IP Source prefix that does not match. The knob for accepting other extra subnets should default to "off", just as the knob for accepting RIP broadcasts defaults to "off", and the knob for BGP peers defaults to "off". KISS. You don't accept unexpected routing advertisements from your downstreams, do you!?!? The whole argument about asymmetric routing does not apply. You would not filter at those multi-homed routers in any case, and you already have to configure something special (routing policy). WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
one view is that the clue is in the core where it is too late to fix it. and the place it needs to be fixed is at the edges, where the tools are weak and the clues seem (given empirical evidence) too few and far apart. this will change very slowly as market forces move clue toward the edges (on the backs of flying pigs) or the edges wither. another view is that the site of the cause is not where the pain of the effect is felt. hence the incentive to fix is small. this would seem only susceptible to vigilante acts, which is not cool. better ideas welcome. randy
On Sat, Apr 25, 1998 at 11:47:00PM -0700, Randy Bush wrote:
one view is that the clue is in the core where it is too late to fix it. and the place it needs to be fixed is at the edges, where the tools are weak and the clues seem (given empirical evidence) too few and far apart. this will change very slowly as market forces move clue toward the edges (on the backs of flying pigs) or the edges wither.
another view is that the site of the cause is not where the pain of the effect is felt. hence the incentive to fix is small. this would seem only susceptible to vigilante acts, which is not cool. better ideas welcome.
randy
Well, yes and no. Blocking the amplifiers, forcing them to repent and fix their routers (or lose connectivity) WORKS Randy. I'm living proof, because what was a nightly out-of-service condition on our IRC server is now NOT one. Without the amplifiers, the source spoofing is useless. Yes, I know its not hte real problem, but trying to get Lucent and ASCEND in particular to fix this has proven fruitless over more than a year. All that is left is interdiction; its not perfect, but folks, it WORKS. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
participants (3)
-
Karl Denninger -
Randy Bush -
William Allen Simpson