Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier
To: Martin Hannigan hannigan@localhost
From: Gert Doering gert@localhost
Date: Tue, 17 Oct 2006 08:45:55 +0200
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=Lrh+5v/u+qxCpptifSKwhKg9oCB8J/+GMctuC78xQgRpP9QTJN0rXb6BWUm6yxzJ ;
On Mon, Oct 16, 2006 at 08:27:52PM -0400, Martin Hannigan wrote:
> Clearly, BCP 38 is called for so I'll start here. My interpretation of
> it is applied
> to ingress traffic. In my day of hands on router configuration, this meant
> router performance would be dragged down the drain. I suspect that this is
> necessarily the case, depending upon router type these days.
Recent gear should be able to do the anti-spoofing filtering at the edge
without serious performance impact.
> At the edge, I'm deploying 6709's with 1gb uplinks. The future is
> obviously 10gb, which these boxes will likely deliver in their 3 to 5
> year life expectancy.
> 1. What should I expect performance wise? Im running big iron, but Im more
> concerned with my legacy little iron, ie 7500 series with 512MB RAM, etc.
... specifically, 650x/760x with Sup720 and activated "uRPF" filtering
will do all the filtering in hardware, with no noticeable impact on
For "legacy little iron", it depends on how loaded the box really is. uRPF
is done using the CEF structures (not with ACLs), so it's "fairly cheap",
but it *will* cause extra work for RSP or VIPs - and if you're already
at 95% CPU load, this might be too much. (But then you should upgrade
> 2. bcp 38 was published in 2000. Still relevant in most peoples eyes
> or have the miscreants changed tactics enough where it doesn't
> matter and that a ddos
> defense may be cheaper/smarter/wiser? I understand that part of the ddos
> mechanism working against us is spoofed traffic, but so what? If I
> go through the effort of compliance, won't they just move to some
> other attack vector?
> [rhetorical for the record]
It will remove whole classes of possible DDoS attacks, like "DNS reflection".
DDoS attacks are still possible, but with un-spoofed addresses, you can
at least know where the stuff is coming from, and try to quench it at
> 3. Is there any common breakdown in the network that folks have seen?
> so to speak..
Don't enable ingress filtering on backbone links with asymmetric traffic.
This is something for the customer edge.
> 4. Anyone have any problem using this page as a reference for the
> reference as well as the BCP?
This is something else - this is not "anti-spoofing filtering", but
"leave my routers alone!"-filtering.
You want both...
Total number of prefixes smaller than registry allocations: 98999
SpaceNet AG Mail: netmaster@localhost
Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0
D- 80807 Muenchen Fax : +49-89-32356-234