[dns-operations] SAC004 & BCP38 [was: DNS deluge for x.p.ctrc.cc]
Sam Norris
Sam at ChangeIP.com
Thu Mar 2 00:14:53 UTC 2006
I'm starting a new thread to talk specifically about the subject.
* Paul Vixie wrote:
> # > ... there is no valid reason to spoof so blocking that capability
> takes
> # > nothing away from the internet.
> #
> # Unfortunly, that's not true. Spoofing is a common and wide spread
> technique
> # to simulate multihoming without PI space. This is independant of an own
> AS.
>
> see [SAC004 5.1] (http://www.icann.org/committees/security/sac004.txt).
I consider 'spoofing' the practice of forging your IP header to be someone
you are not. This is a bit different than using your IP space across
multiple providers, however I agree that in most instances it can be used to
describe both.
In SAC004 I read this:
5.1. Multihomed networks who use address space from multiple upstream
providers will occasionally emit packets into upstream "A" using source
addresses that were assigned by upstream "B". In this case, upstream
"A" must be prepared to accept source addresses in address space "B",
and vice versa. This is only a slight complication and does not
invalidate the approach.
I'm wondering if there are any proposed suggestions to the slight
complication yet? This is really the biggest stepping stone that the
industry needs to take to implement this I believe. There are many public
databases already in existance that store routing and ip information - can
these feasably be used ? ARIN knows my IP ranges, LEVEL3 has a route object
and prefix filters, etc... Are there any resources out there on how to
accomplish BCP38 and keep your multihomed customers flowing? BCP38 was
written in 2000 and is not very popular I take it. Can this be implemented
with current hardware and infrastructure today without forcing everyone to
buy new routing equipment?
If this is the wrong place for this topic then tell me ... This whole
recursive dns server issue is only 1 of the many that will start cropping up
and it would be nice to come up with a real solution ( alongside the
recursive dns issues at hand ).
Sam
More information about the dns-operations
mailing list