Re: Cisco says attacks are due to operational practices
On Thu, 10 February 2000, Paul Ferguson wrote:
Excuse me, but can you please tell me what "application" a downstream customer might be running which originates packets for traffic with source addresses which they are not advertising (or you are advertising for them)?
The usual example given is Hughes DirectPC, which sends packets with a source address of the satellite link via a dialup ISP connection.
On Thu, 10 February 2000, Paul Ferguson wrote:
Excuse me, but can you please tell me what "application" a downstream customer might be running which originates packets for traffic with source addresses which they are not advertising (or you are advertising for them)?
The usual example given is Hughes DirectPC, which sends packets with a source address of the satellite link via a dialup ISP connection.
Um. I know the basics of the DirecPC service, and not much else about it. From what I understand, traffic from the customer's PC does not touch the satellite at all, it goes through the modem, so I assume you're talking about traffic to the PC here? Can you elaborate, please? -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net - 888.480.4NET - 216.619.2NET
From my understanding the PC sends a packet with a source address that will be routed back to DirecPC so that it can come down the Satellite link.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Steve Sobol Sent: Thursday, February 10, 2000 10:58 PM To: Sean Donelan Cc: ferguson@cisco.com; nanog@merit.edu Subject: Re: Cisco says attacks are due to operational practices
On Thu, 10 February 2000, Paul Ferguson wrote:
Excuse me, but can you please tell me what "application" a downstream customer might be running which originates packets for traffic with source addresses which they are not advertising (or you are advertising for them)?
The usual example given is Hughes DirectPC, which sends packets with a source address of the satellite link via a dialup ISP connection.
Um.
I know the basics of the DirecPC service, and not much else about it. From what I understand, traffic from the customer's PC does not touch the satellite at all, it goes through the modem, so I assume you're talking about traffic to the PC here? Can you elaborate, please?
-- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, President, Chief Website Architect and Janitor sjsobol@NorthShoreTechnologies.net - 888.480.4NET - 216.619.2NET
Ahh, in our case this would be a "special case". Does this D-PC thing use static IP, or dynamic??? If static, then its easy to add that customers /32 to our ACL On Thu, Feb 10, 2000 at 06:53:50PM -0800, Sean Donelan wrote:
On Thu, 10 February 2000, Paul Ferguson wrote:
Excuse me, but can you please tell me what "application" a downstream customer might be running which originates packets for traffic with source addresses which they are not advertising (or you are advertising for them)?
The usual example given is Hughes DirectPC, which sends packets with a source address of the satellite link via a dialup ISP connection.
Sean Donelan wrote:
On Thu, 10 February 2000, Paul Ferguson wrote:
Excuse me, but can you please tell me what "application" a downstream customer might be running which originates packets for traffic with source addresses which they are not advertising (or you are advertising for them)?
The usual example given is Hughes DirectPC, which sends packets with a source address of the satellite link via a dialup ISP connection.
This is the same concept used in the original Mobile IP designs. They expected the Internet would only ever look at destination IP address when forwarding packets. When we wrote RFC 2267, this issue was raised. As a result, Mobile IP folks had to look at tunneling the return traffic. The right answer for DirectPC is the same. Tunnel the traffic so that it's on valid IP addresses. Using inappropriate source IP addresses for the network you're on is just not going to fly. We have the technology to deal with it. In the multihomed case, the upstream providers should be made aware, either via a BGP advertisement or telephone call or whatever. Blindly allowing all traffic from a multihomed customer isn't likely to be a good plan in the long run. -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
At 12:18 AM 02/11/2000 -0500, Daniel Senie wrote:
The right answer for DirectPC is the same. Tunnel the traffic so that it's on valid IP addresses. Using inappropriate source IP addresses for the network you're on is just not going to fly.
Yep, also known as "broken". - paul
participants (6)
-
Daniel Senie
-
John M. Brown
-
Paul Ferguson
-
Sean Donelan
-
Shawn Morris
-
Steve Sobol