Re: COVID-19 vs. our Networks

2020-03-16 Thread Eric M. Carroll 
I suggest the NANOG community needs to actively recognize this risks
becoming the largest north american wide test of mass work from home that
has happened since I got involved in the public internet back in 1986.

It may also drive some permanent changes in traffic patterns as high volume
remote work becomes the new normal.

There is good news here. The infrastructure has never been better
positioned to support this kind of mass event. We can shop from home, work
from home, get groceries from home, order drugs, get entertainment, all via
IP. The ISP community needs to be ready to respond to the magnitude of what
is happening.

In Toronto, municipal services are shut down, schools are closed,
university classes are cancelled, transit is reduced, Person is a ghost
town, mass gatherings are cancelled, multiple senior politicians are
self-isolating. Discussions are happening about closing malls. All this
happened in the last week. The downtown core was a ghost town on Friday. We
have a fraction of the cases in Canada as the US does.

I personally know numerous very large companies that have formally
activated their business continuity plans and have or are about to send
tens of thousands to work from home.

Numerous ISPs have waived overage fees

in consideration of the situation here.

I start formal work from home as of Monday *with no defined timeline for
recall as yet*. My current department went from thinking about it, to
testing BCP, to sending people home, inside of 1 week.

This is real. It is rapidly evolving. Be prepared and realize your
networks, if they were not before, are now safety critical.

Regards,

Eric Carroll

Enforcing Source Integrity: BCP38 and Open Resolver Problems

2013-03-27 Thread Eric M. Carroll 
The root cause of high scale directed amplification attacks is the failure
to assure the integrity of the source IP address. This failure leads to a
large set of directed amplification attack vectors.

BCP38 was written in 2000, coming up on its 13th anniversary. This root
cause, and various methodologies & technologies to resolve it, have been an
ongoing discussion since back to the 90s.

The failure to enforce this BCP or the related technological mechanisms to
force implementation is the root cause of why the Internet cannot always
trust source addresses and why these attack vectors persist. Until the ISP
community gets serious about forcing the integrity of source addresses
throughout its topology, various flavours of attack whose root cause is the
spoofed source addresses will continue.

Yes, it is not easy to do because it is a transitive trust issue, linked to
topology and address management policy. Yes it would be easier if there was
a magic bullet to validate source addresses built into the architecture.
But there is not, the architecture is what it is. If every step of the
chain enforced the integrity of source addresses, this risk would be
resolved. There are multiple different steps that could be taken, including
law enforcement, statute, contractual, policy, process and technological
mechanisms.

Every ISP and content providers' business model is threatened by this
vulnerability. Every attack drives up operational expenses for everyone.
Opportunity costs of missed sales and impacted business are everywhere. It
is a pure tragedy of the commons - for lack of enforcement, the whole
system is threatened in scale.

This problem cannot be allowed to rest at the edges simply by pointing at
the current amplification vector. Yesterday it was something different.
Tomorrow it will different again. The constant is the rising scale of the
Internet and resulting increase in scale of the attack and its
corresponding economic impact. The root cause is not today's Google issue.

The ISP community has the power to enforce this through policy and
technological means. Whether it has the will and ability to self-organize
and enforce is a different issue (and also, a long standing one).

The discussion needs to be not just about the edge issue of the day. It
needs to be about what forum, and what means can be used to enforce this
integrity. Post-9/11 the ISP community has significantly more hammers in
its arsenal now that it did in May 2000. Perhaps NANOG is not the right
forum to discuss, but if not, what is? This is truly an operational threat
to the whole community. Leadership needs to come from the largest
providers, not just from the smallest.

Today the threat is rogue data centres hosting spammers trying to game the
system, tolerated by their up stream providers. Does this really need to be
a hostile state or quasi-state actor deliberately threatening the
infrastructure before serious coordinated action is taken?

We really do know better.

Eric Carroll