Re: [apnic-talk] NICs and Egress filtering?
Joe,
One more time ...
Joe Abley wrote:
> > >
> > > To use egress filters reliably, you would have to place them on every
> > > customer-, peer- and provider-facing router interface.
> >
> > I'm not sure where these three precisely delineate.
>
> You're not sure of the difference between customers, peers and
> providers?
>
No I'm not <precisely> sure (like I said I'm just a poor end user ...
;) I'm guessing peers are the likes of UUNET, PSI, Telstra etc. and
providers are ISPs and large regional telcos with considerable overlap
between the two categories.
> > I was thinking of
> > the level just above the customer only. If that level is filtered the
> > higher ones wouldn't require it, would they?
>
> If you allow your customers to send you junk, and you want to stop
> that junk reaching other customers, or peers, or providers, and you
> insist on filtering at the egress from your network rather than the
> ingress, then you need to filter on every single egress from your
> network.
>
OK, I think I finally understand -- you want to filter on the customer
side going into the ISP (or whatever) rather than the interface outbound
from the ISP to the provider/peer. Yes this is much better technically,
I was using egress in the less exact sense of not letting the packet
over the border. Sorry for the misunderstanding, I was thinking like an
end user - again. My intent is to filter packets with spoofed source
addresses as close to their source as possible/practical. Whether it is
in fact possible/practical is another matter ....
> > > That's an O(n^2)
> > > configuration problem, and also requires placing packet filters on fat
> > > trunks to peers and providers.
> > >
> > > Using ingress filters on customer-facing interfaces is an O(n)
> > > configuration problem, and avoids the requirement for filtering
> > > on peer and provider circuits.
> >
> > An ingress filter has no effect on flooding-type denial of service
> > attacks -- if the packets can reach the destination they have achieved
> > their purpose.
>
> The packets can't reach their destination. They can't even reach
> your network, because you filter them on ingress.
Yes, in fact I do and they don't reach an actual address, but because
they reach the router leading to the address they in fact flood that
route.
For example if someone wanted to take out my web server they could have
300 machines located around the world pumping out an aggregate of
1MB/sec of crap directed at the web server using a source address of say
10.x.x.x. This would get blocked at my border router, but if the
bandwidth to that router is only 500K the purpose is served. As far as
I can see the only way to stop this kind of attack is with filtering at
the source of the transaction.
>
> > Also spoofers can use 'real' IP addresses (but not their
> > own) and thus circumvent any ingress filter.
>
> Not if they're your customers, since you apply ingress filters.
>
> > I often get packets
> > spoofed with my network addresses from third party DOS attacks.
>
> The originators of those packets must not apply ingress filters.
>
No they don't, hence the reason I'm bringing this up.
> > > > > > It seems to me the major NICs are about the only body that have the
> > > > > > where-with-all to enforce these filters.
> > > > >
> > > > > How would they enforce them?
> > > >
> > > > No filter, no route your network of course!
> > >
> > > (a) APNIC, ARIN and RIPE have no say in how your network gets routed.
> >
> > Ok, these NICs do determine who uses a particular address, no?
>
> APNIC, ARIN and RIPE provide justification for an end-user to
> arrange a particular prefix to be advertised by a provider. However,
> if someone advertises something that they shouldn't, the regional
> registries have precisely zero powers to step in and enforce their
> delegations. They can merely provide information regarding the
> delegations they have made.
>
The penny finally drops. Of course -- it is all cooperative. On one
hand what a wonderful system that everyone cooperates without absolute
rules yet it must, perforce, engender a certain untidiness in the
corners so to speak...
--
Phil Crooker ORIX Australia 61 8 8443 6844
UNIX SysAdmin pcrooker at orix dot com dot au 61 8 8443 6955 (fax)
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *