[spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

  • From: "Martin Hannigan" hannigan@localhost
  • Date: Mon, 16 Oct 2006 20:27:52 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=jsR5Uc1PzJEh+i+jep7yer/QRXw4reJj3lXKupwvbiXTeys4AFJ+vNV1PvmikbRohpyMV5aBVwQJeE+uRVoHfbjIGDhQVF8RGxsmUjOf9Zmqm/yjxRZ9YrqeVkkPCZHri/FR2YNyV3qJIEnHixfbwcz5Wg+87qrSU8CSy+I9L7U=

Hello Colleagues:

I am working with a large carrier in the Caribbean covering a service area of
$M users. We are deploying new links, routers, and core switching and
I attended the anti-spoofing WG meeting and spoke to someone in the hallway
and volunteered to contribute to the FAQ by contributing my engineers notebook
on the project or by actually doing some work. :)

I'm "management" but I am running the team of engineers that will be doing the
deployment. We're aware of different methods that would be considered
anti-spoofing
smart, but from our perspective, seem to be more IT centric so I
thought I'd post here
to generate some discussion so that I can start populating my notebook.

Clearly, BCP 38 is called for so I'll start here. My interpretation of
it is applied
to ingress traffic. In my day of hands on router configuration, this meant that
router performance would be dragged down the drain. I suspect that this is not
necessarily the case, depending upon router type these days.

At the edge, I'm deploying 6709's with 1gb uplinks. The future is
obviously 10gb, which these boxes will likely deliver in their 3 to 5
year life expectancy.

1. What should I expect performance wise? Im running big iron, but Im more
  concerned with my legacy little iron, ie 7500 series with 512MB RAM, etc.

2. bcp 38 was published in 2000. Still relevant in most peoples eyes
   or have the miscreants changed tactics enough where it doesn't
matter and that a ddos
  defense may be cheaper/smarter/wiser? I understand that part of the ddos
  mechanism working against us is spoofed traffic, but so what? If I
  go through  the effort of compliance, won't they just move to some
other attack vector?
  [rhetorical for the record]

3. Is there any common breakdown in the network that folks have seen? "Woops!"
  so to speak..

4. Anyone have any problem using this page as a reference for the implementation
  reference as well as the BCP?

 http://www.cisco.com/warp/public/707/iacl.html


Thanks for your advice,

Martin