Re: [j-nsp] (d)DoS handling

From: Dmitri Kalintsev (dek@hades.uz)
Date: Mon Apr 09 2001 - 19:17:38 EDT


On Mon, Apr 09, 2001 at 01:35:02PM +0200, Jesper Skriver wrote:
> > prefix routability in principal? Extended case would be so much more useful,
> > as not many people would use M series as a distribution layer router. ;)
>
> You cannot do RPF where you risk having asymmetric routing, and I don't
> like dropping all packets from a source not in the routing table.

Citating uRPF Enchancement PDF document by Cisco:

"Unicast RPF does work with asymmetrical routing on the Customer -ISP Edge.
Detailed configurations and a explanation of the myth that uRPF does not
work with asymmetrical routing is details in ISP/IOS Essentials at
http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip."

Well, yes, it's only on ISP-Customer edge, but still. ;)

> We here allow rfc1918 sources by choice, as dropping them will cause
> pMTUd problems when the link with the smaller mtu use rfc1918 addresses,
> and there are such links out there in the world, even though we don't
> use them ...

I personaly don't see any value in accepting packets with sources I cannot
get back to. We filter them, and nobody yet complained. If people were not
foreseeing enough to deploy rfc1918 on their networks and leaking these into
the Internet, they are fully responsible for the consequences, not me.

I'd like to ask you if I may: what counter-DoS measures you employ to
protect your network and your customers, as well as protecting the Internet
from your customers misbehavior? (Having powerful routers which are not
affected by any possible (d)DoS does not count) ;)

Thanks!

SY,

-- 
 CCNP, CCDP (R&S)                          Dmitri E. Kalintsev
 CDPlayer@irc               Network Architect @ connect.com.au
 dek @ connect.com.au     phone: +61 39 674 3913 fax: 251 3666
 http://-UNAVAIL-         UIN:7150410    cell: +61 41 335 1634



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT