[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Mark Smith markzzzsmith at gmail.com
Tue Mar 1 07:27:53 EST 2016


On 29 February 2016 at 22:46, Roland Dobbins <rdobbins at arbor.net> wrote:
> On 29 Feb 2016, at 18:34, Mark Smith wrote:
>
>> OK everybody, it's really hard to do something about it, so you probably
>> won't bother, and this thread has been a waste of time.
>
>
> I am well-known for my long-time advocacy of source-address validation -
> including on this thread.
>

So why are you presenting it to be harder than it commonly is?

I wasn't aware of this RFC/BCP before this thread (or may have been,
but I come across so many RFCs that I'd like to read), sections 2.1
and 2.2 are saying exactly what I've said.

BCP84/RFC3704 "Ingress Filtering for Multihomed Networks"
https://tools.ietf.org/html/bcp84#section-2.1


It is possible to automate applying this sort of thing; I've written
scripts that would download a switch's config, determine which are the
uplink and downlink ports, and only enable LLDP on uplink ports, based
on port labels, that worked on three quite different switch models
from the same vendor. So it should be possible use the same method to
automate ACL generation and application on downlink ports on routers,
as long as your port labelling is consistent (which it should be on
any network - and if it isn't, you might have other bigger problems
than being a DDoS source).

EOT really this time, I've got nothing more to say.

> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list