Steve,
At 07:01 PM 02/11/2000 -0500, Stephen Kent wrote:
From a security perspective, it is never desirable to rely on a
mechanism that assumes that everyone else does "the right thing."
I agree. Every potential target network is not only responsible
for their own security, but in my opinion, they should be
conscientiously motivated to do the Right Things for the Internet
community at-large.
Of course, it doesn't always work out that way, sadly, and I'm not
delusional that it does.
When one suggests that a first tier ISP would not need to filter
traffic from down stream providers, because IF they do the filtering,
then the problem will not arise via those links, one is suggesting
precisely this sort of model.
You're approaching this from the wrong perspective, in my opinion.
There is no assumption implied that RFC2267 filtering is needed --
it is required. What good is it if one or two or 300 people do
it, and another 157,000 do not?
Well, there is a little good, but the more people that do it, the
better off we all are.
The bottom line here is that RFC2267-style filtering (or unicast
RPF checks, or what have you) stops spoofed source address packets
from being transmitted into the Internet from places they have no
business being originated from to begin with.
In even the worst case, those conscientious network admins that
_do_ do it can say without remorse that they are doing their part,
and can at least be assured that DoS attacks using spoofed source
addresses are not being originated from their customer base.
And this is a Bad Thing?
Edge filtering would often be helpful, but it is not a panacea, as
pointed out by others in regard to the current set of attacks, nor is
the performance impact trivial with most current routers.
It is negligible at the edge in most cases, but you really need to
define "edge" a little better. In some cases, it is very low speed
links, in others it is an OC-12.
Because
most routers are optimized for transit traffic forwarding, the
ability to filter on the interface cards is limited, as I'm sure you
know.
No, I don't know that at all. _Backbone_routers_ are optimized for
packet forwarding -- I do know that.
Also, several of the distributed DoS attacks we are seeing do
not use fake source addresses from other sites, so simple filtering
of the sort proposed in 2267 would not be effective in these cases.
Again, you're missing the point.
If attackers are limited to launching DoS attacks using traceable
addresses, then not only can their zombies be traced & found, but
so can their controller (the perpetrator himself). Of this, make no
mistake.
Finally, I am aware of new routers for which this sort of filtering
would be child's play, but they are not yet deployed. One ought not
suggest that edge filtering is not being applied simply because of
laziness on the part of ISPs.
Steve, you said that -- I didn't. I think ISP's will do what their
customers pay them to do.
- paul