[ppml] Policy Proposal 2003-1a: Required Performance of Abuse Contact

John M. Brown john at chagres.net
Wed Mar 12 10:52:02 EST 2003


forgive me if I seem nieve....  

packet enters NSP's network, 
SRC_IP is 192.168.1.1
DST_IP is 209.152.187.30

router looks for a route to the DST_IP and fwds
the packet out the appropriate interface.

otherwords, Routers look at DST IP when making
fwd'ing decisions, NOT SRC ip.

hence  a ip route 192.168.0.0/16  null0 15 would 
do nothing for this packet, since its the SRC
that is spoofed.

Null routing would drop the reply packet that 209.152.187.30
generates and sends back in response.   But in general
that is already done because 192.168.1.1 isn't in 
209.152.187.30's next hop routers table.


Ergo, you have to filter based on the SRC_IP at the 
ingress to the network.

If I missed some new cisco or juniper feature that 
now causes a router to forward based on SRC_IP, other
than URPF thingy.


> -----Original Message-----
> From: McBurnett, Jim [mailto:jmcburnett at msmgmt.com]
> Sent: Wednesday, March 12, 2003 4:30 AM
> To: john at chagres.net; Dr. Jeffrey Race; ppml at arin.net
> Subject: RE: [ppml] Policy Proposal 2003-1a: Required 
> Performance of Abuse Contact
> 
> 
> JOhn,
> I don't see it quite that way...
> Unless Sprint is using RFC1918 address in it's network
> infrastructure, why not just use Null routing? 1 instace 
> takes care of the whole network... And if it is redistributed 
> via iBGP then no need for a blue gazillin of ACLs..
> 
> Anyway,
> Jim
> 
> 
> 
> 
> > -----Original Message-----
> > From: John M. Brown [mailto:john at chagres.net]
> > Sent: Wednesday, March 12, 2003 4:07 AM
> > To: 'Dr. Jeffrey Race'; ppml at arin.net
> > Subject: RE: [ppml] Policy Proposal 2003-1a: Required
> Performance of
> > Abuse Contact
> > 
> > 
> > Yes the system is broken.  Service providers need to start
> filtering
> > on the edge of their networks to prevent bad packets from entering
> > their networks.
> > 
> > Socially SPAM needs to be addressed in a manner that allows
> > people(natural or otherwise) to affect self-help and be 
> provided the
> > tools to take legal action against the spammers.  Much like
> the TCPA
> > does with junk-fax.  You don't see the "phone company" revoking a
> > phone line because its been used for sending junk faxes.
> > 
> > 
> > When service providers like Sprint (AS 1239) and UUNET (AS 701)
> > actually apply ingres filtering in such a manner that we no 
> longer see
> > RFC-1918 packets on edge transit links, then we will be getting
> > someplace.
> > 
> > Oh BTW  filters on a Sprint Ingress link show:
> > 
> > rt01#sh access-list as1239-in
> > Extended IP access list as1239-in (Compiled)
> >     deny ip 10.0.0.0 0.255.255.255 any (618129 matches)
> >     deny ip 172.16.0.0 0.15.255.255 any (254224 matches)
> >     deny ip 192.168.0.0 0.0.255.255 any (488749 matches)
> >     deny ip 169.254.0.0 0.0.255.255 any (716 matches)
> > 
> > This is during a 24 hour window, on ONE customer DS3
> interface. Wonder
> > what the aggregate count would be across their entire net. (Prolly
> > less than a OC12 worth of traffic)
> > 
> > (ARIN, RIPE, APNIC Please revoke their AS, all their routes from the

> > internet because they allow spoofed packets to enter their networks)
> > 
> > This is clearly ABUSE as the IETF has specified that IP
> packets labled
> > with these integers (RFC-1918) MUST NOT be routed to the global
> > Internet.
> > 
> > 
> > So "We can conclude" that Sprint is abusing a majority of its 
> > customers with low volume DDOS by allowing these packets to 
> > exist....
> > 
> > May I ask, who is going to Pay Sprint to place these filters on
> > every edge router in their global network???   
> > 
> > May I ask, who is going to revoke AS 1239 and remove its ability to
> > be used in the global BGP routing tables ??   I think, speaking
> > for our client, that should that happen the org that causes this
> > problem (in this case ARIN) would be facing legal action for 
> > interfering with interstate commerce and for possible RICO, 
> anti-trust
> > practices, and interfering with contractual relations that
> it is not a
> > party to.
> > 
> > Bluntly, this is a bad idea and deserves a red t-shirt.
> > 
> > And for the record.  Our client thinks Sprint runs a pretty
> darn good
> > network.  We only used their name and stats as a way of putting
> > reality to this proposal.
> > 
> > 
> > Msg to ARIN AC and BOT.  Please spend your time on
> something like say,
> > IPv6 and making those resources more available to people
> that want to
> > start using them.
> > 
> > john brown
> > 
> > 
> > >  We can also conclude that
> > > unless a discipline mechanism is adopted, problems of viruses, 
> > > trojans, spam and ddos will continue to multiply, as they are now.

> > > The rising numbers for all of these metrics show the system as now

> > > operated is broken.
> > > 
> > > Jeffrey Race
> > > 
> > > 
> > > 
> > 
> > 
> 




More information about the ARIN-PPML mailing list