Re: [spoofing-tf] HOWTO draft

  • To: "Juan P. Cerezo" juampe@localhost
  • From: Pekka Savola pekkas@localhost
  • Date: Thu, 14 Sep 2006 08:25:56 +0300 (EEST)

On Wed, 13 Sep 2006, Juan P. Cerezo wrote:
This is the draft of the Anti-Spoofing Howto document, to be discussed on the list. There are some items to be filled yet, but people can start to comment on what's been written up to now.

I looked quickly at the first sections only.  Two comments below:

4.2.1.	 Filtering prefixes

- What to filter

Basically, IP traffic with a source address belonging to prefixes that
should not be on the routing table of routers connected to (or that
forward traffic from/to) the public Internet. The most common
characterization of these prefixes is the so-called Bogon Prefixes[1].

==> why do you recommend filtering only bogon prefixes? That's pretty useless in the grand scheme of spoofing. The more important issue is filtering out addresses which have been spoofed to be from someone else's address space.

- Where to filter On the IP hosts (if the TCP/IP stack implements this option), on the
customer (CPE) routers, on the ISP infrastructure equipment (access
routers and concentrators, DFZ routers).

==> I'd also recommend applying filtering at your peering/upstream edges: - outbound: allow out only valid addresses you give transit for (just in case you glitched somewhere, your wrong traffic won't leak out; also disables transit stealing by static routing)
 - inbound: disallow your own singlehomed addresses as source

FWIW, we've done both of these successfully for quite some time now.

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings