Re: Tier 2 ingress filtering
On Thu, 28 Mar 2013 17:16:48 -0000, bmanning@vacation.karoshi.com said:
is there a clear understanding of "the edge" in the network operations community? in a simpler world, it was not that difficult, but interconnect has blossomed and grown all sorts of noodly appendages/extentions. I fear that edge does not mean what you think it means anymore.
For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If that's a problem, the ISP can upsell a business-class connection that doesn't filter. ;)
On Thu, Mar 28, 2013 at 01:47:45PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Thu, 28 Mar 2013 17:16:48 -0000, bmanning@vacation.karoshi.com said:
is there a clear understanding of "the edge" in the network operations community? in a simpler world, it was not that difficult, but interconnect has blossomed and grown all sorts of noodly appendages/extentions. I fear that edge does not mean what you think it means anymore.
For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If that's a problem, the ISP can upsell a business-class connection that doesn't filter. ;)
5 9s? I'll go w/ big, but this seems a stretch to me. if true (it might be), then filtering ought be done and catch the delta. I still posit a baseline that does not fit this lowhanging fruit... (trill networks, L2 transparent bridging, L2-L3-VPNs, etc.) /bill
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
On Thu, 28 Mar 2013 17:16:48 -0000, bmanning@vacation.karoshi.com said:
is there a clear understanding of "the edge" in the network operations community? in a simpler world, it was not that difficult, but interconnect has blossomed and grown all sorts of noodly appendages/extentions. I fear that edge does not mean what you think it means anymore.
For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If that's a problem, the ISP can upsell a business-class connection that doesn't filter. ;)
C'mon guys: the edge is where people who *source and sink* packets connect to people who *move* packets. There may be some edges *inside* carriers, but there is certainly an edge where carriers hook up customers. And no, this should apply to business-grade connections as much as resi. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu> For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If that's a problem, the ISP can upsell a business-class connection that doesn't filter. ;)
C'mon guys: the edge is where people who *source and sink* packets connect to people who *move* packets. There may be some edges *inside* carriers, but there is certainly an edge where carriers hook up customers.
Exactly - packets leaving Comcast's network and going to another tier 1/2, the receiver may have a hard time figuring out if the packet is legit or not. But it's trivial for Comcast to tell whether the packet that just came out my cablemodem is consistent with what their DHCP server told my CPE. (For the record, the last time I tried running the spoofer.sail stuff on my home gear, it was totally unable to sneak a packet out, so at least part of Comcast does this right). And the fact that there's places where it *is* hard to deploy isn't an excuse for not doing it in the 98% of places where it's a slam dunk.
And no, this should apply to business-grade connections as much as resi.
Oh, I was intending *those* would be filtered by default as well, but you could request an opt-out if you were trying to do multi-homing on the cheap as some people have suggested (similar to blocking outbound 25 by default, unless the user actually has a mail server).
Yeah, that's what I meant: ingress filter all edge connections except maybe BGP, and accept optout requests. Valdis.Kletnieks@vt.edu wrote:
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu> For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said: that's a
problem, the ISP can upsell a business-class connection that doesn't filter. ;)
C'mon guys: the edge is where people who *source and sink* packets connect to people who *move* packets. There may be some edges *inside* carriers, but there is certainly an edge where carriers hook up customers.
Exactly - packets leaving Comcast's network and going to another tier 1/2, the receiver may have a hard time figuring out if the packet is legit or not. But it's trivial for Comcast to tell whether the packet that just came out my cablemodem is consistent with what their DHCP server told my CPE. (For the record, the last time I tried running the spoofer.sail stuff on my home gear, it was totally unable to sneak a packet out, so at least part of Comcast does this right).
And the fact that there's places where it *is* hard to deploy isn't an excuse for not doing it in the 98% of places where it's a slam dunk.
And no, this should apply to business-grade connections as much as resi.
Oh, I was intending *those* would be filtered by default as well, but you could request an opt-out if you were trying to do multi-homing on the cheap as some people have suggested (similar to blocking outbound 25 by default, unless the user actually has a mail server).
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
On Thu, 28 Mar 2013, Jay Ashworth wrote:
C'mon guys: the edge is where people who *source and sink* packets connect to people who *move* packets. There may be some edges *inside* carriers, but there is certainly an edge where carriers hook up customers.
And no, this should apply to business-grade connections as much as resi.
I tested several days ago and was surprised/impressed to find that my home cable provider does not allow me to spoof. AFAICR, all of the Tier1/Tier2 providers I've dealt with over the years (UUNet, Sprintlink, C&W, MCI, Digex, Intermedia, Abovenet, Level3, TWTelecom, Cogent, BHN, I'm probably forgetting a few) have done BGP prefix-list filters on their transit customers. If they know what routes you might want to announce to them, wouldn't it be reasonable to use that same list of prefixes (in the vast majority of cases) as the basis for an input ACL on your interface? It'd be extra work for the T1/T2 networks to do this, and arguably, all the customer networks should be doing it inside their own networks, but we all know that not everyone who buys a connection and configures BGP has half a clue, and for the ones that do, we can all appreciate the idea of a belt and suspenders. It's time for people to stop passing the buck on BCP38 (we don't do it, because it really ought to be done at that other level) and start implementing it where possible. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Thu, 28 Mar 2013, Jon Lewis wrote:
It's time for people to stop passing the buck on BCP38 (we don't do it, because it really ought to be done at that other level) and start implementing it where possible.
An economic factor will be required for BCP38 to be effective. It will have to cost more money to not implement BCP38 than it will to implement it, in order to get widespread adoption. -Dan
participants (5)
-
bmanning@vacation.karoshi.com -
goemon@anime.net -
Jay Ashworth -
Jon Lewis -
Valdis.Kletnieks@vt.edu