register.com down sev0?

Randy,

I don't think I implied anything of the sort.

I did, however, pipe up when a BCP is mentioned that I
endorse,
and co-authored -- and likewise, cannot figure out for life
of
me, why there is such push-back from the Ops community on
doing
The Right Thing.

Having said that, botnets don't need to spoof addresses --
the
sheer dispersion of geographic and AS infection base renders
the
whole point of spoofing almost moot.

And having said that, it doesn't make BCP 38 any less valid.

- ferg


-- Randy Bush <randypsg.com> wrote:

> I don't want to detract from the heat of this
discussion, as
> important as it is, but it (the discussion) illustrates
a point
> that RIPE has recognized -- and is actively perusing --
yet, ISPs
> on this continent seem consistently to ignore: The
consistent
> implementation of BCP 38.

oh?  you have knowledge that this botnet attack used spoofed
source
addresses?

randy

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

On Thu, Oct 26, 2006 at 06:03:54AM +0000, Fergie wrote:
> 
> Randy,
> 
> I don't think I implied anything of the sort.
> 
> I did, however, pipe up when a BCP is mentioned that I
endorse,
> and co-authored -- and likewise, cannot figure out for
life of
> me, why there is such push-back from the Ops community
on doing
> The Right Thing.

	The challenge is that the router vendors still haven't
done "The Right Thing".

	I have one device that

1) halves its forwarding table space by enabling u-rpf
2) can only do either strict or loose mode rpf *GLOBALLY* so
I can
   not strict rpf-check a static customer AND loose rpf
someone
   larger for unrouted space.

	because of the above (#1 isn't that bad, but #2 is)
I can't enable u-rpf on the device as a policy.  Changing
one
interface from loose -> strict silently changes all other
u-rpf
interfaces and then customers gripe about dropped packets.

	obviously moving these checks closer to the edge
is ideal, such as always doing rpf on the ethernet lan
interface for your customer CPE.

> Having said that, botnets don't need to spoof addresses
-- the
> sheer dispersion of geographic and AS infection base
renders the
> whole point of spoofing almost moot.

	yup, it's an evolving threat, even if some solution to the
botnet problem is discovered, it will take years to fix. 
Think of
the smurf amplifiers that are still out there[1].

	- jared

1 - http://www.powertech.n
o/smurf/

-- 
Jared Mauch  | pgp key available via finger from jaredpuck.nether.net
clue++;      | http://puck.nether.net
/~jared/  My statements are only mine.

On Thu, 2006-10-26 at 06:03 +0000, Fergie wrote:
> Having said that, botnets don't need to spoof addresses
-- the
> sheer dispersion of geographic and AS infection base
renders the
> whole point of spoofing almost moot.

A lot of new possibilities arise if spoofing can be
eliminated with near
100% certainty. Some examples:

Automated filtering.

Automated notification to providers. "Cut off host X
or..."

Expose compromised systems and hold their owners financially
responsible
for damages. Severe punishment of large number of users may
cause
outrage, basis for regress, class-action lawsuits, and maybe
finally
turn the attention to the real source of the problem;
software vendors
whose products are of such a dismal quality that they'd be
banned
worldwide from just about any market other than that for
computer
software. 


-- 


Per Heldal - http://heldal.eml.cc/

At 07:25 AM 10/26/2006, Jared Mauch wrote:

>On Thu, Oct 26, 2006 at 06:03:54AM +0000, Fergie wrote:
> >
> > Randy,
> >
> > I don't think I implied anything of the sort.
> >
> > I did, however, pipe up when a BCP is mentioned
that I endorse,
> > and co-authored -- and likewise, cannot figure out
for life of
> > me, why there is such push-back from the Ops
community on doing
> > The Right Thing.
>
>         The challenge is that the router vendors still
haven't
>done "The Right Thing".
>
>         I have one device that
>
>1) halves its forwarding table space by enabling u-rpf
>2) can only do either strict or loose mode rpf
*GLOBALLY* so I can
>    not strict rpf-check a static customer AND loose rpf
someone
>    larger for unrouted space.

It was possible to implement BCP38 before the router vendors
came up with uRPF.


>         because of the above (#1 isn't that bad, but #2
is)
>I can't enable u-rpf on the device as a policy. 
Changing one
>interface from loose -> strict silently changes all
other u-rpf
>interfaces and then customers gripe about dropped
packets.
>
>         obviously moving these checks closer to the
edge
>is ideal, such as always doing rpf on the ethernet lan
>interface for your customer CPE.

Yes, it is. And does not require uRPF.

I know you're looking to do the right thing. It's important
though 
that this not be put entirely on the router vendors. How
many 
"managed T1" services out there have routers
controlled by the ISP 
providing them? How many of those routers are configured
with a 
single line ACL that would implement BCP38 sufficiently?

How many aggregation routers for incoming T1s are not
configured with 
a single line ACL per T-1 to ensure the packets coming in
are from 
assigned, not-multihomed space?

If scripts are being used to auto-configure routers to ship
out to 
T-1 customers, then appropriate ACLs should be written by
such 
scripts at the same time. Scripts that configure aggregation
switches 
should similarly be reviewed for ACL inclusion.

It's certainly helpful to have implementations such as uRPF
to help 
make it easier to deploy BCP38, but deployment of BCP38 is
not 
dependent on the existence of uRPF.


> > Having said that, botnets don't need to spoof
addresses -- the
> > sheer dispersion of geographic and AS infection
base renders the
> > whole point of spoofing almost moot.
>
>         yup, it's an evolving threat, even if some
solution to the
>botnet problem is discovered, it will take years to fix.
 Think of
>the smurf amplifiers that are still out there[1].

Dan
(the other co-author of the BCP in question) 

On Thu, 26 Oct 2006, Fergie wrote:
> and co-authored -- and likewise, cannot figure out for
life of
> me, why there is such push-back from the Ops community
on doing
> The Right Thing.

you could google answers from other folks but in shor:
1) it doesn't always work as advertised
2) people don't always tell you the routes the hold
3) equipment vendors don't alway splan properly for
'features'

Not everyone is as smart as you (both) and can manage that
problem as they
scale...