Re: [apnic-talk] NICs and Egress filtering?
On Wed, Jan 10, 2001 at 12:19:20PM +1030, Phil Crooker wrote:
> Joe Abley wrote:
> > > >
> > > > To use egress filters reliably, you would have to place them on every
> > > > customer-, peer- and provider-facing router interface.
> > >
> > > I'm not sure where these three precisely delineate.
> >
> > You're not sure of the difference between customers, peers and
> > providers?
>
> No I'm not <precisely> sure (like I said I'm just a poor end user ...
> ;)
Imagine I am an ISP. My customers send me routes which describe how
to get to their network; this allows packets addressed to them in
my network to be routed to them correctly. "send" might mean
"advertise using BGP", or "asking me to add a static route to my
network".
As well as routing packets towards my customer, I offer to take my
customers' packets and route them to the rest of the world. To that
end, I send my customers routes which describe how to reach the
rest of the internet.
There's another ISP next door. Since there is a certain amount of
traffic which naturally flows between my customers and the guy
next door's customers, it makes sense for us to string a cable
through the ceiling and send the traffic over it. To do this,
I send the guy next door routes which describe how to get to my
and my customers' networks, and he does the same. He is a peer;
we exchange routes without providing global transit to each other.
My network might have so many peers that the sum total of all
routes provided to me by my customers and my peers encompasses the
entire internet. [In that case, I might call myself a "tier-1"
provider, and sit back smugly watching the world provide me with
money for the privilege of giving me access to the internet.]
Suppose it's not, though; in that case I need some way to reach
the rest of the internet. I do that by buying transit from another
ISP. That ISP is a provider; I am its customer. I might have more
than one provider.
> > The packets can't reach their destination. They can't even reach
> > your network, because you filter them on ingress.
>
> Yes, in fact I do and they don't reach an actual address, but because
> they reach the router leading to the address they in fact flood that
> route.
>
> For example if someone wanted to take out my web server they could have
> 300 machines located around the world pumping out an aggregate of
> 1MB/sec of crap directed at the web server using a source address of say
> 10.x.x.x. This would get blocked at my border router, but if the
> bandwidth to that router is only 500K the purpose is served. As far as
> I can see the only way to stop this kind of attack is with filtering at
> the source of the transaction.
Yep -- if everybody applied ingress filters on customer interfaces
wherever they could, surely the problem of spoofed source addresses
would be vastly reduced.
> The penny finally drops. Of course -- it is all cooperative. On one
> hand what a wonderful system that everyone cooperates without absolute
> rules yet it must, perforce, engender a certain untidiness in the
> corners so to speak...
It's a toss-up between having rules and enforcement (on which nobody
would agree, so nothing would be deployed) and having largely no
rules (in which case only minimal agreement is necessary, things are
deployed, but there are no real police available to catch the bad
guys).
Joe
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *