filtering spoofed addresses cheaply

I_Am_Not_A_Lawyer_Si · April 26, 1998, 5:49am

There has been a fair amount of discussion about where and how to filter
spoofed IP Source addresses. I don't understand why this is considered
so hard. Let me tell you about what Merit did nearly 15 years ago....

Every NAS (they were called SCPs in those days) knows the address
assigned to each link. So, Merit code just replaced the incoming IP
Source field with the known address, before calculating the IP Header
checksum. Spoofed addresses -> packets discarded with bad checksum.
Simple. Elegant. No additional CPU.

We merely want the same thing to happen BY DEFAULT on every dial-up
link. Listening Lucent/Livingston? Ascend? Et alia?

Now, the ethernet spoof detection is a little harder, but since each
interface is already configured with an address and subnet prefix length
(or mask), every interface should simply discard all incoming packets
with an IP Source prefix that does not match. The knob for accepting
other extra subnets should default to "off", just as the knob for
accepting RIP broadcasts defaults to "off", and the knob for BGP peers
defaults to "off". KISS. You don't accept unexpected routing
advertisements from your downstreams, do you!?!?

The whole argument about asymmetric routing does not apply. You would
not filter at those multi-homed routers in any case, and you already
have to configure something special (routing policy).

WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32

Bandy_Rush1 · April 26, 1998, 6:47am

one view is that the clue is in the core where it is too late to fix it.
and the place it needs to be fixed is at the edges, where the tools are weak
and the clues seem (given empirical evidence) too few and far apart. this
will change very slowly as market forces move clue toward the edges (on the
backs of flying pigs) or the edges wither.

another view is that the site of the cause is not where the pain of the
effect is felt. hence the incentive to fix is small. this would seem only
susceptible to vigilante acts, which is not cool. better ideas welcome.

randy

Karl_Denninger1 · April 26, 1998, 2:06pm

Well, yes and no.

Blocking the amplifiers, forcing them to repent and fix their routers (or
lose connectivity) WORKS Randy. I'm living proof, because what was a
nightly out-of-service condition on our IRC server is now NOT one.

Without the amplifiers, the source spoofing is useless. Yes, I know its not
hte real problem, but trying to get Lucent and ASCEND in particular to fix
this has proven fruitless over more than a year. All that is left is
interdiction; its not perfect, but folks, it WORKS.