Re: [apnic-talk] NICs and Egress filtering?
On Tue, Jan 09, 2001 at 11:34:13AM +1030, Phil Crooker wrote:
> > > > I think the more usual place to apply filters to catch spoofing is
> > > > on the ingress to your network, on the customer-facing circuit.
> > > > Packet filtering is frequently expensive, which is a good reason
> > > > to push it out to the edge.
> > >
> > > An egress filter prevents spoofed addresses entering the Internet from
> > > that router
> >
> > To use egress filters reliably, you would have to place them on every
> > customer-, peer- and provider-facing router interface.
>
> I'm not sure where these three precisely delineate.
You're not sure of the difference between customers, peers and
providers?
> I was thinking of
> the level just above the customer only. If that level is filtered the
> higher ones wouldn't require it, would they?
If you allow your customers to send you junk, and you want to stop
that junk reaching other customers, or peers, or providers, and you
insist on filtering at the egress from your network rather than the
ingress, then you need to filter on every single egress from your
network.
> > That's an O(n^2)
> > configuration problem, and also requires placing packet filters on fat
> > trunks to peers and providers.
> >
> > Using ingress filters on customer-facing interfaces is an O(n)
> > configuration problem, and avoids the requirement for filtering
> > on peer and provider circuits.
>
> An ingress filter has no effect on flooding-type denial of service
> attacks -- if the packets can reach the destination they have achieved
> their purpose.
The packets can't reach their destination. They can't even reach
your network, because you filter them on ingress.
> Also spoofers can use 'real' IP addresses (but not their
> own) and thus circumvent any ingress filter.
Not if they're your customers, since you apply ingress filters.
> I often get packets
> spoofed with my network addresses from third party DOS attacks.
The originators of those packets must not apply ingress filters.
> > > > > It seems to me the major NICs are about the only body that have the
> > > > > where-with-all to enforce these filters.
> > > >
> > > > How would they enforce them?
> > >
> > > No filter, no route your network of course!
> >
> > (a) APNIC, ARIN and RIPE have no say in how your network gets routed.
>
> Ok, these NICs do determine who uses a particular address, no?
APNIC, ARIN and RIPE provide justification for an end-user to
arrange a particular prefix to be advertised by a provider. However,
if someone advertises something that they shouldn't, the regional
registries have precisely zero powers to step in and enforce their
delegations. They can merely provide information regarding the
delegations they have made.
> If not
> by routing, how do they stop someone from using an address?
They don't. They merely publish details of delegations they have
made.
> > (b) The only person who would know if the filters were not in place
> > would be the customer. If they were a good customer, they wouldn't need
> > them; if they were an evil customer, they would keep quiet so they
> > could exploit the hole.
>
> My problem with doing nothing is that enough users just don't do egress
> filtering
Users don't need to do egress filters if their providers apply
ingress filters.
> This
> problem is only going to get worse and it is in *all* our interests to
> prevent another huge DDOS attack from happening as did last February.
Huge DDOS attacks happen every other day. Operators need to change
their behaviour and act responsibly, but expecting the regional
registries to wield some big stick to make this happen is somewhat
unrealistic.
Joe
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *