[spoofing-tf] Draft Document - RIPE Recommendation

  • To: RIPE IP Anti-Spoofing Task Force spoofing-tf@localhost
  • From: Daniel Karrenberg <daniel.karrenberg@localhost
  • Date: Tue, 26 Sep 2006 15:29:35 +0200

Here is the first draft of the RIPE Recommendation. 
The last sentence will become clear when you read the
agenda for next week ;-).  See also the acompanying
"business case" document "Network Hygiene Pays Off".

Feedback most welcome!

Daniel
RIPE Recommendation on IP Source Address Verification

Document: ripe-xxx
Version: 0.5
Tue Sep 26 15:22:49 CEST 2006

Joao Luis Silva Damas
Daniel Karrenberg

Denial of Service (DoS) attacks are a frequent problem on the Internet. 
They regularly disrupt services and networks; Counteracting and
mitigating them when they happen requires resources form both ISPs and
the attacked Internet users.  This has been widely described in several
reports [references: ssac008, ....]. 

Of all these attacks, the worst usually use Internet packets with forged
(spoofed) IP source addresses in some way.  In particular, the very
effective reflector attacks would not work at all if the use of spoofed
source addresses could be prevented.  No spoofed source addresses in the
Internet means no reflector-type DoS attacks.  No spoofed source
addresses in the Internet also makes it significantly easier to mitigate
other types of attacks, by increasing the traceability of the sources of
the attack. 

Hence there have been a number of recommendations to network operators
suggesting that they to need to take action to prevent traffic with
spoofed source addresses.  Doing this is very simple and the principle
has been described elsewhere.  [ref: ssac004, bcp38]

Yet we still see these attacks happening continuously.  Still detection
efforts find many hosts on the Internet that are able to lie about their
address at will.  [ref ana spoofer]


Therefore RIPE makes the following recommendations:

ISPs should verify source addresses as close to the network edge as
possible. 

ISPs should not carry traffic with spoofed source addresses.

ISPs should publish their policies regarding source address verification
and where appropriate publish how these are implemented. 

ISPs should exchange information about implementation of source address
verification freely with other ISPs. 

ISPs should encourage both their customers and their peers to follow
this recommendation. 


The RIPE anti-spoofing task force will support ISPs in implementing
these recommendations.  To help arguing the business case for 
IP source address verification the task force has published a report
entitles "Network Hygiene Pays Off".  The task force is also maintaining
technical documentation about how this recommendation can be implemented.

### ISPs have pledged in the "Tallinn Declaration" that they will 
adhere to this recommendation.