[dns-operations] Configurable TC=1?
Roland Dobbins
rdobbins at arbor.net
Thu Dec 24 02:06:05 UTC 2015
On 24 Dec 2015, at 5:00, Mark Andrews wrote:
> Encouraging all DSL and Cable forum members to have *all* equipment
> they produce support BCP 38 filtering at line rate is a good way
> to start.
And enabled by default - concur 100%. This is a portion of the topology
in which source-address validation by default won't break the world.
But it's important to keep in mind that a substantial proportion, if not
an outright majority, of reflection/amplification attacks appear to be
initiated from compromised servers in IDCs.
My contention is that making Ethernet access ports default with DHCP
Snooping and IP Source Guard/SAVI or an equivalent enabled may well
doable, without breaking the world. VMotion and similar mechanisms
would have to be taken into account - that's the most significant
corner-case (there are others, but they're relatively rare), AFAICT.
Another area that needs improvement is broken CPE which will merrily
pass along unmodified packets marked with source addresses beyond the
configured private NAT scope. This isn't a gigantic problem, but should
be included for the sake of completeness, along with the manifold other
problems, including abusable services enabled by default, in the CPE
realm.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the dns-operations
mailing list