[dns-operations] Configurable TC=1?

Frank Bulk frnkblk at iname.com
Mon Dec 28 03:18:26 UTC 2015 

It's amazing how much the SAV on our CMTS catches.

Looking at last week's data that has 4700 CMs:
239,276 hits

231,320 were from 192.168.0.0/16 address space
88 were from 172.16.0.0/12 address space
0 were from 10.0.0.0/8 address space

886 CMs (18.9%) were involved
935 CPE were involved (so some modems had more than one CPE attached)

Frank

-----Original Message-----
From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
Of Roland Dobbins
Sent: Wednesday, December 23, 2015 9:48 PM
To: dns-operations at dns-oarc.net
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] Configurable TC=1?

On 24 Dec 2015, at 10:28, Paul Vixie wrote:

> we should tell IDC's they can do whatever they need to do in-house, 
> but when it's time for a packet to leave the house, it
> should have an IDC-assigned source IP address, or some other address 
> from a very small list
> of exceptions.

But telling people isn't working.

The power of the default continues to hold sway.  My contention is that 
source-address validation can potentially become a default setting in 
two topological scenarios without breaking the world:

1.  Wireline broadband access layer.

2.	IDC access layer (with VMotion-like scenarios being the most 
significant caveat).

> actually, it's a gigantic problem.

I don't have any statistics, but my (totally subjective) gut feeling is 
that CPE NATs passing along out-of-scope packets unmodified isn't that 
common.  Is it your gut feeling that it is in fact a fairly commonplace 
problem, and/or do you know if anyone has any data on the popularity of 
CPE NATs which exhibit this particular flavor of brokenness?   
Correction is very welcome, if indeed this is an issue with a relatively 
high degree of prevalence.

Of course, source-address validation by default in the wireline 
broadband access layer would mask this issue, irrespective of its 
prevalence.  But we need a better feel for the scope of the CPE NAT 
scope problem, just the same, because we must press this issue on 
multiple fronts.

What I would really like to see is a conclave involving the major 
operating system vendors - Microsoft, Apple, Google, the appropriate 
Linux distros, FreeBSD - with the aim of convincing them that it's in 
their interest to incorporate Spoofer Project-type functionality 
(<http://spoofer.caida.org/>) into the operating systems they produce, 
with the resultant data published and analyzed on a pubicly-accessible 
portal, said data also made available for all and sundry to analyze for 
themselves, should they wish to do so.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list