no ip forged-source-address

It is a lot easier to stop when you know whom you have to stop.

Why is uunet so opposed to uRPF? If performance concerns, what effort
has been made to address them with the vendor? Why is it that others
(I believe ATT was mentioned) can do it with no apparent performance
impact? Is it philosophical, and nothing would get you to change? What
about financial, more dos traffic equals more revenue and bad sources
means complaints may go elsewhere deflecting cost from the abuse/security
budget? Do you just not like us?

Let's solve whatever issues you believe to exist, so we can do _something_
rather than sitting around not doing anything all the time. What would
it take to get uunet to do something?

What about the other large isps? What would it take for you to do
something? Chris is gracious enough to show up and participate, at
least even if it does mean he has to wear nomex.

I'm in favor of source address filtering at the edges.

I'm opposed to some of the suggestions where to put source address
filters, especially placing them in "non-edge" locations. E.g. requiring
address filters at US border crossings is a *bad* idea, worthy of an
official visit from the bad idea fairy.

Our networks, and our customer bases, are not identical. This is good
and bad. Not to make excuses, the ease with which this can technically be
done depends on your network and type of customer connections. Or more
precisely how you aggregate customer connections.

IMHO the edge is generally the best place to do source address filtering.
After traffic is aggregated its more difficult. Some folks have already
identified the technical limitations of some types equipment. And with
the market, we're going to be stuck with that equipment for a while. In
hindsight, if every provider and every equipment vendor did it from day 1,
we would be in great shape.

Does that mean I can wave my magic wand and fix everything tomorrow? No.

Can I work on standards, vendors and purchasing agents to change this over
time? Yes. Will yelling at me make it happen faster? I doubt it, but I
know you will anyway.

> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.

I'm in favor of source address filtering at the edges.

I'm opposed to some of the suggestions where to put source address
filters, especially placing them in "non-edge" locations.

No argument there. Bogon filtering could (should?) be done everywhere, but ingress is best when done close to, well, the ingress point.

  E.g. requiring
address filters at US border crossings is a *bad* idea, worthy of an
official visit from the bad idea fairy.

This would be a bad idea even if it were possible to clearly delineate border crossings somewhere. Many foreign ISPs collocate routers in the USA, leading to all kinds of fun questions of where borders lie in cyberspace.

Our networks, and our customer bases, are not identical. This is good
and bad. Not to make excuses, the ease with which this can technically be
done depends on your network and type of customer connections. Or more
precisely how you aggregate customer connections.

Doing absolutely nothing, in any part of one's network seems unreasonable. For the large backbone providers, they might consider adding terms-of-service requirements for their downstreams, if they themselves can't implement on their equipment. UUNet was able to impose something like that with port 25 blocking, requiring their wholesale POP customers to add that to their RADIUS server configs.

Even the Cisco RPF check that looks to see if there is ANY route to a net would be helpful. That would squelch out the packets with 0.0.0.0 source addresses and other such bogons. Cisco claims that's not even high overhead. Perhaps turning that on in the backbone routers would be worthwhile?

IMHO the edge is generally the best place to do source address filtering.
After traffic is aggregated its more difficult.

Clearly. The question is the definition of aggregation. Is it the customer premesis router that must do the work, the aggregation router at the local ISP? The backbone vendor's aggregation router that regional ISPs attach to?

Some folks have already
identified the technical limitations of some types equipment. And with
the market, we're going to be stuck with that equipment for a while. In
hindsight, if every provider and every equipment vendor did it from day 1,
we would be in great shape.

Does that mean I can wave my magic wand and fix everything tomorrow? No.

Can I work on standards, vendors and purchasing agents to change this over
time? Yes. Will yelling at me make it happen faster? I doubt it, but I
know you will anyway.

When I first got involved in this back in 1996, this was my answer to those who complained their routers would melt. "Add it to your requirements document for your next round of purchasing" was a common comment. If you don't tell your vendors you need a feature, they won't spend their time on it. Cisco, to their credit, has been working on this issue. Their automated solutions have shortcomings, but they seem to be working on improvements. In edge cases with single-homed customers, there's really no excuse not to have an ACL to take care of the issue. The extra few lines of config (probably script generated anyway) would not hurt. Seems some folks won't even do that.

Sean puts this very nicely... I was away today so I missed the rest of the
traffic and looking it over alot of it was not relevant. I'll put in some
comments here though.

> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.

I'm in favor of source address filtering at the edges.

Sure, so are most operators, including me. Define the edge the right way,
as Sean says, though. The edge is the customer CPE, or even the LAN router
inside the customer network. As close as possible to actual hosts that
can spoof.

I'm opposed to some of the suggestions where to put source address
filters, especially placing them in "non-edge" locations. E.g. requiring
address filters at US border crossings is a *bad* idea, worthy of an
official visit from the bad idea fairy.

In general, knowing what ips a 'peer' is going to send you is very
difficult. One would hope that all peers would have all customers
implement filtering as close to their hosts as possible. This isn't a
reality today

Putting filtering, of any type, in a 'core' spot is asking for trouble.
Doing much other than routing at the core is a bad plan. In the future
perhaps filtering and other magic would be possible in the core, but in
reality it will almost always be a tough thing to do.

Our networks, and our customer bases, are not identical. This is good
and bad. Not to make excuses, the ease with which this can technically be
done depends on your network and type of customer connections. Or more
precisely how you aggregate customer connections.

This is a good point. If you are aggregating customers on gear where the
uRPF filtering is done in software you will severely impact performance
with anything over oc3 rates

Do not confuse acls with uRPF, acls on t1 aggragation isn't workable
unless your 'network' lives in your basement. uRPF is only feasible in
some small circumstances.

Making the assumption that because your network works with uRPF and thus
Sean's or Ryan's or Paul's will isn't really valid. I would like to
believe that the majority of NSP/ISP operators have atleast considered
uRPF, or some kind of mitigation techniques. We have, and for us the
current possibilities aren't feasible for a number of technical reasons
which the respective's vendors are aware.

IMHO the edge is generally the best place to do source address filtering.
After traffic is aggregated its more difficult. Some folks have already
identified the technical limitations of some types equipment. And with
the market, we're going to be stuck with that equipment for a while. In
hindsight, if every provider and every equipment vendor did it from day 1,
we would be in great shape.

Yes, filter at the 'edge', where 'edge' == 'as close to the host as
possible'. Possibly this could be accomplished by a config default in
IOS/JunOS... something akin to 'no ip directed broadcast'... or atleast
that possibility was raised at the NANOG Security BOF.

This won't solve any problems in the short term, but it is a move in the
right direction.

Does that mean I can wave my magic wand and fix everything tomorrow? No.

Can I work on standards, vendors and purchasing agents to change this over
time? Yes. Will yelling at me make it happen faster? I doubt it, but I
know you will anyway.

This is the tact that we are taking inside UUNET today. We are trying to
work on a consensus document for 'Network Equipment Requirements'. This
effort is being headed up by Mr. George Jones, I believe this document is
headed out for IETF work and possibly additions to BCP 38 ? Barry Greene
is helping out on this along with some folks from Merit.

The focus of this is to get everyone possible asking for the same thing
from their vendors. For a long time every vendor through the door would
say: "security what?", "Filtering what?", "You are the ONLY person asking
for this capability." This was the response to: Radius authentication for
management access, tacacs auth for management access, auth for management
access, filtering, filtering at line rate, filtering on all interfaces...
the list goes on of things that one would assume are 'standard' on any
network gear. UUNET, atleast, has been asking all vendors we
see/speak-with/test for the list of things in George's document for the
last 2 years.

-Chris "Nomex, whats that?" Morrow.