[arin-announce] IPv4 Address Space (fwd)

mpetach · October 29, 2003, 10:22pm

In a message written on Wed, Oct 29, 2003 at 02:24:54PM -0600, Kuhtz, Chris=
tian wrote:
> Isn't that the whole point of running a VPN connection?

Yes. What I'm saying is network operators are slowly forcing
everyone to run _everything_ over a VPN like service. That's fine,
but it makes network operators unable to act on the traffic at the
same level they can today.

Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

I think the other point that may be escaping some people,
is that as more and more connections take on this VPN-like
quality, as network operators we lose any visibility into
the validity of the traffic itself.
Imagine how much more painful SQL Slammer would have been,
if all the traffic was encapsulated in port 80 between
sites, and only hit port 1434 locally?
We'd suddenly be unable to quickly filter out the worm
traffic, and would instead see only that our port 80 traffic
was now eating our network alive--and we certainly couldn't
get away with filtering that out. We'd have no choice but
to build our networks large enough to handle the largest
sized worm outbreak, as we'd have no option but to carry
the traffic blindly from end to end, having no way to
even begin to consider how to differentiate valid traffic
from invalid traffic.

At least today, we can decide that 92 byte ICMP echo-request
packets are invalid, and drop them; or that for the most part,
packets destined to port 1434 should be discarded as quickly
as possible. If everything, include worm outbreaks, gets
tunneled on port 80, get ready to loosen the purse strings,
because there's no alternative other than add more capacity.

If I were more of a conspiracy theorist, I might think
that the router vendors and long-haul fiber providers
might be rubbing their hands gleefuly in the background,
funnelling dollars into the VPN marketplace to fund
more and more products that do exactly that...it would
certainly be one way to ensure that the demand for
larger pipes and faster routers stays high for the
next decade or so, until OS vendors learn to secure
their software better. ^_^;;

Matt
happy to still be able to block IPs/ports at his own
discretion

Alex_Yuriev2 · October 29, 2003, 7:24pm

I think the other point that may be escaping some people,
is that as more and more connections take on this VPN-like
quality, as network operators we lose any visibility into
the validity of the traffic itself.

As the network operators, we move bits and that is what we should stick to
moving.

We do not look into packets and see "oh look, this to me looks like an evil
application traffic", and we should not do that. It should not be the goal
of IS to enforce the policy for the traffic that passes through it. That
type of enforcement should be left to ES.

Imagine how much more painful SQL Slammer would have been, if all the
traffic was encapsulated in port 80 between sites, and only hit port 1434
locally?

How do you know which traffic is good and which traffic is evil?

At least today, we can decide that 92 byte ICMP echo-request
packets are invalid, and drop them; or that for the most part,
packets destined to port 1434 should be discarded as quickly
as possible.

How does you IS know that a _particular_ ES uses port 1434 for?

Alex

william_at_elan.net · October 29, 2003, 9:34pm

Well, that is nice thery, but I'd like to see how you react to 2Gb DoS
attack and if you really intend to put filters at the edge or would not
prefer to do it at the entrance to your network. Slammer virus is just
like DoS, that is why many are filtering it at the highiest possible
level as well as at all points where traffic comes in from the customers.

Alex_Yuriev2 · October 29, 2003, 7:46pm

Actually, no, it is not theory.

When you are slammed with N gigabits/sec of traffic hitting your network, if
you do not have enough capacity to deal with the attack, no amount of
filtering will help you, since by the time you apply a filter it is already
too late - the incoming lines have no place for "non-evil" packets.

Leave content filtering to the ES, and *force* ES to filter the content.

Let IS be busy moving bits.

Alex

william_at_elan.net · October 29, 2003, 10:28pm

> > application traffic", and we should not do that. It should not be the goal
> > of IS to enforce the policy for the traffic that passes through it. That
> > type of enforcement should be left to ES.
>
> Well, that is nice thery, but I'd like to see how you react to 2Gb DoS
> attack and if you really intend to put filters at the edge or would not
> prefer to do it at the entrance to your network. Slammer virus is just
> like DoS, that is why many are filtering it at the highiest possible
> level as well as at all points where traffic comes in from the customers.

Actually, no, it is not theory.

When you are slammed with N gigabits/sec of traffic hitting your network, if
you do not have enough capacity to deal with the attack, no amount of
filtering will help you, since by the time you apply a filter it is already
too late - the incoming lines have no place for "non-evil" packets.

This concept does not work on every network. You may very well have enough
capacity to handle all the traffic from upstream provider (you probably
don't want to and will ask them to filter as well) but actual line to the
POP where customer is connected maybe smaller or even if you do have
enough capacity to the POP, the extra traffic going there will greatly
effect IGP routing on the network and may cause problems for customers in
completely different cities.

Leave content filtering to the ES, and *force* ES to filter the content.

Its not content filtering, I'm not filtering only certain html traffic
(like access to porn sites), I'm filtering traffic that is causing harm to
my network and if I know what traffic is causing problems for me, I'll
filter it first chance I get.

Alex_Yuriev2 · October 30, 2003, 5:12pm

> Leave content filtering to the ES, and *force* ES to filter the content.
Its not content filtering, I'm not filtering only certain html traffic
(like access to porn sites), I'm filtering traffic that is causing harm to
my network and if I know what traffic is causing problems for me, I'll
filter it first chance I get.

It is content filtering. You are filtering packets that you think are
causing problems to the ES that you may not control.

Alex

Valdis_Kletnieks · October 31, 2003, 3:28am

No, he said quite clearly he's filtering packets (such as Nachi ICMP) that are
causing harm to *his* network. He gets to make a choice - filter the known
problem packets so the rest of the traffic can get through, or watch the
network melt down and nobody gets anything.

Alex_Yuriev2 · October 31, 2003, 12:43pm

> It is content filtering. You are filtering packets that you think are
> causing problems to the ES that you may not control.

No, he said quite clearly he's filtering packets (such as Nachi ICMP) that are
causing harm to *his* network. He gets to make a choice - filter the known
problem packets so the rest of the traffic can get through, or watch the
network melt down and nobody gets anything.

He needs to fix his network so those 92 byte ICMP packets wont break it.

Alex

Owen_DeLong · October 31, 2003, 5:16pm

Are you actually saying that providers in the middle should build their
networks to accommodate any amount of DDOS traffic their ingress can
support instead of filtering it at their edge? How do you expect them
to pay for that? Do you really want $10,000/megabit transit costs?

Owen

Alex_Yuriev2 · October 31, 2003, 1:42pm

Are you actually saying that providers in the middle should build their
networks to accommodate any amount of DDOS traffic their ingress can
support instead of filtering it at their edge? How do you expect them
to pay for that? Do you really want $10,000/megabit transit costs?

I remember GM saying something like that about this car that put Nader on
political arena. Are we that dumb that we need to be taught the same
lessons?

Fix the networks. Force the customers to play by the rules.

Alex

Matthew_Kaufman · October 31, 2003, 6:09pm

I remember GM saying something like that about this car that
put Nader on political arena. Are we that dumb that we need
to be taught the same lessons?

GM seems to still be building cars and trucks, and Nader lost a presidential
election.

Which lesson were we supposed to learn?

Matthew Kaufman
matthew@eeph.com

Alex_Yuriev2 · October 31, 2003, 2:30pm

> I remember GM saying something like that about this car that
> put Nader on political arena. Are we that dumb that we need
> to be taught the same lessons?
GM seems to still be building cars and trucks, and Nader lost a presidential
election.

GM seems to also have cut a very big check to pay the judgements.

Alex