|
|
|
|
|
|
by forgottenpass
3558 days ago
|
|
|
Filtering can only be enforced at boundaries where an operator can say "Link N will only/never have traffic for net range foo/16." And it isn't always possible to make strong blanket statements like that. Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done. For example: I send a packet to google, it passes from AS 123 through AS 456 to AS 789. How is AS 789 going to tell the difference between a packet from me, and a forgery originating from AS 456? |
|
|
Though we do assume that AS wont itself misbehave and send a spoofed packet to one of its member peer and most of time its true.
We have to worry about misbehaving ISPs for which previously mentioned filtering works.
> Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.
I dont think so. IXP can force peers to provide their IP Space even if its whole internet. At least they wont be able to spoof IP outside of their space. If they do spoof ddos from their own space the above solution would probably suffice.
EDIT: I just realized peer already has to give destination ip ranges. So IXP dont have to force anyone.