[dns-operations] Configurable TC=1?

Paul Vixie vixie at tisf.net
Thu Dec 24 03:28:29 UTC 2015


On Thursday, December 24, 2015 09:06:05 AM Roland Dobbins wrote:
> 
> But it's important to keep in mind that a substantial proportion, if not
> an outright majority, of reflection/amplification attacks appear to be
> initiated from compromised servers in IDCs.

one of the things we're combating here is human laziness. a fair number of IDC operators 
have told me they don't care about SAV because there are so many NAT boxes all over the 
cable and DSL edge that only translate DHCP-assigned addresses and simply forward 
unchanged packets coming from "elsewhere."

i hate excuses. people should just do the right thing. but in this case, we have to get anyone 
who can or will act, to act, and then use that action as a call to further action by the lazy 
people who refuse to be first to improve the global state of internet source address pollution.

> My contention is that making Ethernet access ports default with DHCP
> Snooping and IP Source Guard/SAVI or an equivalent enabled may well
> doable, without breaking the world.  VMotion and similar mechanisms
> would have to be taken into account - that's the most significant
> corner-case (there are others, but they're relatively rare), AFAICT.

very small. but it highlights the need for source address validation at network egress in many 
topologies, rather than network ingress as shown in BCP 38. we should tell IDC's they can do 
whatever they need to do in-house, but when it's time for a packet to leave the house, it 
should have an IDC-assigned source IP address, or some other address from a very small list 
of exceptions.

> Another area that needs improvement is broken CPE which will merrily
> pass along unmodified packets marked with source addresses beyond the
> configured private NAT scope.  This isn't a gigantic problem, ...

actually, it's a gigantic problem.

-- 
P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151223/9afaaa21/attachment-0001.html>


More information about the dns-operations mailing list