Re: [apnic-talk] NICs and Egress filtering?
Joe Abley wrote:
>
> Imagine I am an ISP. My customers send me routes which describe how
> to get to their network; this allows packets addressed to them in
> my network to be routed to them correctly. "send" might mean
> "advertise using BGP", or "asking me to add a static route to my
> network".
>
> As well as routing packets towards my customer, I offer to take my
> customers' packets and route them to the rest of the world. To that
> end, I send my customers routes which describe how to reach the
> rest of the internet.
>
> There's another ISP next door. Since there is a certain amount of
> traffic which naturally flows between my customers and the guy
> next door's customers, it makes sense for us to string a cable
> through the ceiling and send the traffic over it. To do this,
> I send the guy next door routes which describe how to get to my
> and my customers' networks, and he does the same. He is a peer;
> we exchange routes without providing global transit to each other.
>
> My network might have so many peers that the sum total of all
> routes provided to me by my customers and my peers encompasses the
> entire internet. [In that case, I might call myself a "tier-1"
> provider, and sit back smugly watching the world provide me with
> money for the privilege of giving me access to the internet.]
>
> Suppose it's not, though; in that case I need some way to reach
> the rest of the internet. I do that by buying transit from another
> ISP. That ISP is a provider; I am its customer. I might have more
> than one provider.
>
> > > The packets can't reach their destination. They can't even reach
> > > your network, because you filter them on ingress.
> >
> > Yes, in fact I do and they don't reach an actual address, but because
> > they reach the router leading to the address they in fact flood that
> > route.
> >
> > For example if someone wanted to take out my web server they could have
> > 300 machines located around the world pumping out an aggregate of
> > 1MB/sec of crap directed at the web server using a source address of say
> > 10.x.x.x. This would get blocked at my border router, but if the
> > bandwidth to that router is only 500K the purpose is served. As far as
> > I can see the only way to stop this kind of attack is with filtering at
> > the source of the transaction.
>
> Yep -- if everybody applied ingress filters on customer interfaces
> wherever they could, surely the problem of spoofed source addresses
> would be vastly reduced.
>
> > The penny finally drops. Of course -- it is all cooperative. On one
> > hand what a wonderful system that everyone cooperates without absolute
> > rules yet it must, perforce, engender a certain untidiness in the
> > corners so to speak...
>
> It's a toss-up between having rules and enforcement (on which nobody
> would agree, so nothing would be deployed) and having largely no
> rules (in which case only minimal agreement is necessary, things are
> deployed, but there are no real police available to catch the bad
> guys).
>
> Joe
Thanks very much for the explanation. What a wonnerful world, eh?
Enjoy K.L. everyone!
Phil
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *