Re: [spoofing-tf] Preparing for anti-spoofing project at $fooBig carrier
-
To: Martin Hannigan hannigan@localhost
-
From: Pekka Savola pekkas@localhost
-
Date: Tue, 17 Oct 2006 09:48:27 +0300 (EEST)
On Mon, 16 Oct 2006, Martin Hannigan wrote:
Clearly, BCP 38 is called for so I'll start here. My interpretation
of it is applied to ingress traffic.
Most importantly, yes, but filtering can also be applied (in addition
to ingress traffic) for peering/upstream egress traffic. See
draft-savola-rtgwg-backbone-attacks-02.txt. This helps in ensuring
that no spoofed traffic escapes your network and that your peers don't
steal transit by static routing etc.
3. Is there any common breakdown in the network that folks have seen?
"Woops!"
so to speak..
I've seen Cisco's CEF breaking a couple of times, causing e.g., 50%
packet drop. A recent case (AFAIR) was that an unrelated interface
was removed and as a result 50% of packets (two upstream links) from a
CEF/uRPF enabled interface were dropped. Clearing CEF or toggling
uRPF on and off fixes these kinds of problems but it's unfortunate
that Cisco can't get this basic stuff right.
4. Anyone have any problem using this page as a reference for the
implementation
reference as well as the BCP?
http://www.cisco.com/warp/public/707/iacl.html
Infrastructure protection ACLs is just a subset of spoofing
protection.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings