[dns-operations] Having doubts about BCP38 solving the ORN problem

Paul Vixie paul at redbarn.org
Sun Mar 31 20:09:40 UTC 2013



Fred Morris wrote:
> I'm sure this must have been discussed at some point, somewhere.

yes.

> ...
>
> BCP38 filtering on egress from the network is ineffective in such
> scenarios because it is based on the assumption that the spoofed packets
> are coming in from outside the network (and hence originated as egress
> from someone else's network).

no.in <http://archive.icann.org/en/committees/security/sac004.txt> there
is a definition of "edge" in terms of source address repudiability. what
this means is, the time to drop a packet because its source address
makes no sense is, at the point where it is about to stop making sense.
that means on the customer-facing interface, no matter whether that
customer is on a WAN or LAN. see also section 5.1 describing the
multihoming corner case whereby some customers (but not by default!) can
emit packets with source addresses other than those you've assigned to them.

paul

PS. amazingly, only three people so far in 2013 have told me in the
strongest possible terms that ip source address spoofing is no longer
happening and that i should stop worrying so much about it. i'm grateful
to all of the ddos actors whose well-publicized ip spoofing successes in
the last year have made those strange discussions a ~monthly rather than
a ~weekly event in my life of late. --pv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130331/758c6b50/attachment.html>


More information about the dns-operations mailing list