[nsp-sec] DDoS Chicken and Egg Problem
David Freedman
david.freedman at uk.clara.net
Wed Mar 26 17:04:41 EDT 2008
>To me this is not a chicken and an egg problem. It is a problem with not
>deploying Diffserv Phase 0 as a core security tool. Any packet coming
>into your network needs to have the DSCP value reset to 0 unless there
>is an explicit contract/service which requires it to be another value.
Wavering off the original topic somewhat, I've been asking cisco for ages for a way to disable
IP->MPLS EXP Marking reflection on label imposition, there simply isn't a switch to turn this off and I'm sure it would be simple (since the code to make it happen was added!) , this means I have to reset all IP marking on ingress (everywhere, on every customer interface and on every peer interface), since I have an IP/MPLS core and I use MPLS EXP to control PHB between P<->P and P<->PE , allowing marked IP packets on ingress automatically grants the user EXP-marked labels across the core which means they can steal core PHB they are not entitled to ,
if there was a simple switch which turned this behaviour off on the whole box (and then meant I had to use an explicit marking policy to make it happen) it would save me countless lines of config and the get rid of the worry at upgrade/re-spec time about interactions between my remarking policies, CEF and hardware capability....
Posting to C-NSP only elicits (mostly private) replies of "oh, I didn't realise you still had GSR E2 cards facing stuff, no remarking for you in your PSA bundle!"
Dave.
More information about the nsp-security
mailing list