-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2/14/2014 4:09 PM, Joe Provo wrote:
> On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: > [snip] >> Taken to the logical extreme, the "right thing" to do is to deny >> any spoofed traffic from abusing these services altogether. NTP >> is not the only one; there is also SNMP, DNS, etc. > > ...and then we're back to "implement BCP38 already!" (like one of > the authors of the document didn't think of that, ferg? ;-) > > NB: Some Entities believe all filtering is 'bcp 38' and thus have > given this stone-dead logical and sane practice a bad rap. If > someone is sloppy with their IRR-based filters or can't drive loose > RPF correctly, that isn't the fault of BCP38. > > The document specifically speaks to aggregation points, most > clearly in the introduction: "In other words, if an ISP is > aggregating routing announcements for multiple downstream networks, > strict traffic filtering should be used to prohibit traffic which > claims to have originated from outside of these aggregated > announcements." > > This goes for access, hosting, and most recently virtual hosting in > teh cloude. Stop forgery at your edges and your life will be > easier. > Indeed -- I'm not in the business of bit-shipping these days, so I can't endorse or advocate any particular method of blocking spoofed IP packets in your gear. I can, however, say with confidence that it is still a good idea. Great idea, even. :-) - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlL+y8sACgkQKJasdVTchbKTXAEA0/czP0ECsFX4CyUr6yt4Dkap D0NZT/UIo6h5E/dl0KEA/3hpxN2NLxZRix6JUTVHyv+LZ4RzgpG2myoXbgAq1+WS =QQjA -----END PGP SIGNATURE-----
