RIPE 52 Proposal for a RIPE "IP Spoofing" Task Force

Tuesday 25 April 2006, 17:15 - 17:45.

Introduction

IP source address spoofing is the practice of originating IP datagrams with source addresses other than those assigned to the host of origin. In simple words the host pretends to be some other host. This can be exploited in various ways, most notably to execute Denial of Service (DoS) amplification attacks which cause an amplifier host to send traffic to the spoofed address.

There are many recommendations to prevent IP spoofing by ingress filtering, e.g. checking source addresses of IP datagrams close to the network edge. Most equipment vendors support ingress filtering in some form. Yet recently significant DoS amplification attacks have happened which would be impossible without spoofing. This demonstrates that ingress filtering is definitely not deployed sufficiently. Unfortunately there are no direct benefits to an ISP that deploys ingress filtering. Also there is a widely held belief that ingress filtering only helps when it is universally deployed.

RIPE as an operational forum should promote deployment of ingress filtering at the network edge by creating a task force that raises awareness and provides indirect incentives for deployment.

Proposed Charter

This task force shall

• raise awareness about this issue among network operators
• inform about operational methods to implement ingress filtering
• seek ways to provide incentives and benefits to operators that do implement ingress filtering

The taskforce shall have completed its task when

• network operators cannot reasonably claim not to be aware of the issue
• information about ways to deploy ingress filtering are readily available
• and any incentives it may have devised have become available

The task force shall be disbanded when these tasks have been completed or when there is consensus within RIPE that completion of the tasks is no longer realistic.

Suggested Time-Line

RIPE 52: BoF and establishment of Task Force

• Quickly draft and publish RIPE recommendation citing existing work
• Compile 'How To' with (pointers to) vendor documentation and operational experience reports
• Establish liaison with MIT ANA Spoofer Project, promote their tools
• Analyse spoofer data for RIPE region

RIPE 53: Publish RIPE recommendation on Ingress filtering

• Published First Edition of "Ingress Filtering How To"
• First analysis of Spoofer data
• Discuss possible incentive schemes
• Revise and extend How To
• Devise possible incentive schemes like a "Source Address Clean" network logo, suitable RIPE DB attributes

RIPE 54: Publish second edition of "IP Source Address Filtering How To"

• Further analysis of Spoofer data for RIPE region
• Launch of any incentive scheme
• Implement incentive scheme
• Monitor progress and effectiveness

RIPE 55: Evaluation and Disbanding of Task Force

References

RFC2827
Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Address Spoofing
http://www.ietf.org/rfc/rfc2827.txt

SSAC004
Securing the Edge
http://www.icann.org/committees/security/sac004.txt

SSAC008
DNS Distributed Denial of Service (DDoS) Attacks
http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf

ripe-66
RIPE Task Forces
ftp://ftp.ripe.net/ripe/docs/ripe-066.txt