[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Fri Dec 25 02:05:24 UTC 2015


On Friday, December 25, 2015 08:21:08 AM Roland Dobbins wrote:
> On 24 Dec 2015, at 11:11, Paul Vixie wrote:
> > we need to get everything possible done as soon as possible.
> ...
> Is some part of the problem terminology?  Since you've done a good job
> of popularizing the more palatable term 'source-address validation', is
> it time to rev the relevant BCPs/RFCs, also to include the proviso that
> network egress filtering has the same practical effect as network
> ingress filtering from the standpoint of what your network emits?

it's not, though. (egress the same practically as ingress filtering.) i was asked about this 
privately about a week ago, and i advised strongly against egress filtering except when 
ingress filtering was infeasible. my reason is that if customer A can spoof its source address 
toward customer B, then if customer B is running an externally reachable server (DNS 
authority, or any TCP) then customer B can be used as a reflecting amplifier for customer A's 
attacks on noncustomers.

granted, this is easier to detect and correct than the non-SAV case where neither ingress nor 
egress filtering is present. i just want the people who choose egress filtering to know that this 
danger will exist for them, and that they ought to choose ingress filtering if it's feasible.

> > i am particularly incensed by the transit providers who won't do SAV against their wireline 
customers "because they might be multihomed". i tell them, make SAV your default, and 
open up the filters when and if a specific customer needs it.
> 
> I concur, in the context of providing downstream transit to an endpoint network.  However, 
customer-of-my-customer (of my customer, of my customer . . .) wholesaling scenarios are a 
bit more complex.

i am not trying to outlaw complexity; i'm trying to deal with bad defaults. if some customer 
needs non-default treatment, then by all means supply it!

> I'd also like the major OS vendors to incorporate Spoofer Project-like
> functionality into their OSes, with the data and analysis of said data
> made publicly available via a common portal.  I believe it wouldn't be
> too difficult to make the case to them that doing so is in their
> interests, and the interests of their customers.  SAVA - Source Address
> Validation Association, or some such.

ISOC has taken on routing system resilience (http://www.routingmanifesto.org). the MANRS 
(mutually agreed norms for the routing system) effort includes SAV. i'd say that if you wrote 
an RFC describing a ping-like service whereby an end system could be made to participate in 
something like CAIDA Spoofer (was MIT), then ISOC would almost certainly help you socialize 
it to equipment vendors.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151224/e130f0da/attachment.html>


More information about the dns-operations mailing list