[dns-operations] BCP38 (was Re: EDNS0 )

Paul Vixie paul at vix.com
Thu Mar 2 05:07:25 UTC 2006

# It's pretty hard to manage a per-customer rate limit on 2000 routers (guess
# who that is!).  :) It's a problem of scalability and manageability.

there's more to it than that.  flow-based rate limiting requires holding
state in the forwarding iron.  likely 122K state blobs is too many, or
that 580K state blobs is too many, or that some number of state blobs is
too many and that the number of available amplifiers is higher than that
number.  when forwarding iron runs short of state blobs for rate limiting,
it LRU's.  if you can send it enough simultaneous flows, LRU = thrashing,
and the flows corresponding to the state blobs you're discarding will get
little periods of unlimiting.

so the number of routers or router operators might actually be a problem, but
that won't have an opportunity to matter at all, since the number of flows
compared to the quota of available state blobs will be exceedable even if the
number of routers and the number of router operators are both somehow "1".

# I think we're stuck with managing each threat as it arises.  We definitely
# need ubiquitous adoption of BCP38, though I'm not certain how to achieve
# that.  Lots of folks have tried, with seemingly limited success.  Barry's
# work with uRPF might be a good place to start (again).  There are some real
# successes with uRPF, despite some of the animus those letters generate.  :)

what i think is interesting about this week's response to the renewed calls
for BCP38 (or if you're a boss and your hair is pointy, SAC004) deployment,
is that serious consideration of BCP38 adoption has apparently been waiting
for some threat, and it's not the threat i saw (which already existed when
BCP38 and SAC004 werewritten, which was the use of spoofed source IP's in
DDoS attacks).  the threat that's got people seriously talking about BCP38
is not the spoofed-source DDoS attacks -- it's the idea of filtering known
open recursive nameservers.

apparently the thought of this kind of filtering is disturbing enough to
overcome the natural desire to laugh maniacally whenever BCP38 is mentioned.

if only we'd known this years ago, we could have changed the threat context
a lot earlier.  i guess we forgot that humans, not routers, are the actors.

# We may be straying from the list charter a bit here, but I think
# it's all related.

i consider this completely on-topic.  though maybe the subject headers could
have more variety... i'll change this one now.

More information about the dns-operations mailing list