Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier

  • To: Martin Hannigan hannigan@localhost
  • From: Pekka Savola pekkas@localhost
  • Date: Tue, 17 Oct 2006 09:48:27 +0300 (EEST)

On Mon, 16 Oct 2006, Martin Hannigan wrote:
Clearly, BCP 38 is called for so I'll start here. My interpretation of it is applied to ingress traffic.

Most importantly, yes, but filtering can also be applied (in addition to ingress traffic) for peering/upstream egress traffic. See draft-savola-rtgwg-backbone-attacks-02.txt. This helps in ensuring that no spoofed traffic escapes your network and that your peers don't steal transit by static routing etc.

3. Is there any common breakdown in the network that folks have seen? "Woops!"
 so to speak..

I've seen Cisco's CEF breaking a couple of times, causing e.g., 50% packet drop. A recent case (AFAIR) was that an unrelated interface was removed and as a result 50% of packets (two upstream links) from a CEF/uRPF enabled interface were dropped. Clearing CEF or toggling uRPF on and off fixes these kinds of problems but it's unfortunate that Cisco can't get this basic stuff right.

4. Anyone have any problem using this page as a reference for the implementation
 reference as well as the BCP?

http://www.cisco.com/warp/public/707/iacl.html

Infrastructure protection ACLs is just a subset of spoofing protection.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings