> I am network manager for a pretty much medium-sized ISP, with around
> 1700 internal network blocks; 600 of which come from dynamic sources.
> (RADIUS; variuos routing protocols). Given that a stock router will
> run out of filter lists long before the 600 mark I see major scaling
> problems here. (Outside of our network we show around 30 BGP network
You need to do this as close to the edge as possible. Do you have routers
with 600 customer links directly connected? If you did, then it might
only be feasible to require that your customers filter their traffic such
that they cannot send bogus source traffic to you...and have stiff
penalties in their service contracts for failure to maintain such filters.
We have routers with ISDP PRI links, where the routing information
arrives from RADIUS via a CHAP login. There are 600 routed objects
in the RADIUS database, as well as 10k+ non-routed (dynamic IP)
objects. Every ISDN router therefore has a potential 600 directly
attached neighbors; although no router has more than 60 links at any
one time. Some common equipment may handle this just barely; other is
wholly inadequate.
We DO filter on the other edge too, (towards peering partners).
We currently have approx 10 megabit worth of external traffic in
two locations; and filtering works. I doubt we can do this with
10 times this traffic.
Because of this filtering spoofing will be between clients that have a contractual
relationship with us; and we can easily go after them in the judicial system;
and we have this covered in the contracts. All routers we ship have anti-
spoofing filterlists configured too, but we only have such a relation
to around half of our customers.
My point is that both approaches have huge scaling problems; easily evident
for a medium-size ISP. (Although we are part of EUnet International the national
operations are pretty autonomous). If things are this evident for us, it must
be a nightmare for the bigger ISP's with lots more routed objects.
I would appreciate some thought on how to address this issue on a
bigger scale.
We have routers with ISDP PRI links, where the routing
information arrives from RADIUS via a CHAP login. There are 600
routed objects in the RADIUS database, as well as 10k+
non-routed (dynamic IP) objects. Every ISDN router therefore
has a potential 600 directly attached neighbors; although no
router has more than 60 links at any one time. Some common
equipment may handle this just barely; other is wholly
inadequate.
It sounds to me like what you would really like was something
akin to the "RPF check" as done on multicast traffic for unicast
traffic on your customer routers, perhaps as a per-interface
option. If this feature existed you would not accept a packet
from a given source and incoming interface unless the box in
question has a route for the source pointing back out the same
interface. That way you would not get the administrative burden
of maintaining access lists and ensuring they're always in synch
with the local view of the routing system.
Doing this on the customer border routers appears to me to be the
obviously right place. Doing this in a place where asymmetrical
routing is the norm (as appears to be the case in the current
backbones) is obviously a non-starter.
I think this has been mentioned several times to various providers
in the past without this feature materializing, but one can still
hope. (It's not unconceivable that the current access products have
not been engineered with sufficient CPU resources to be able to even
perform this task...)
- H�vard
So if you only have 60 links at a time, it can probably handle 60 really
short access-lists. The trick is how to create appropriate filter lists
on the fly. People have been requesting "automatic" filters where the
access-server unless overridden creates a filter based on the routes it
has for a particular interface. Hopefully, they're actually working on
this...or at least thinking about it.
As an "it's better than nothing" solution, unless you have too many
network blocks, you can at least put in your various routers filter lists
that allow forwarding of all possibly valid source addresses, but block
absolutely bogus ones (i.e. source addresses from networks that are not
yours). This would allow some level of spoofing within your own network,
but protect the rest of the world.