Re: Mail relay attempts
[No need to Cc: me; I read the list. Please respect my M-F-T ]
On Wed, Sep 04, 2002 at 07:45:14AM -0400, Anthony DeRobertis wrote:
> On Thursday, Aug 29, 2002, at 09:34 US/Eastern, Nathan E Norman wrote:
> >This is why all ISPs should apply filters at their ingress/egress
> >points. Unfortunately, many do not.
> While I don't want to start a flame war here, as all discussions of
> this topic seem to become, I'd just like to point out there are very
> legitimate arguments that egress filtering is a bad thing.
> IP routing does not have to be symmetric. It is for certain situations
> very useful to have data come in one connection and leave another. Even
> if those connections are from different ISPs. A recent time I did this
> was to transition to a new hosting facility; the router at the old
> facility was configured to forward data to the new facility over a GRE
> tunnel, where it was then passed through static NAT. The data coming
> out of the new facility was sent out with the old facilities IPs as the
> source. Tunneling that would of been bad, because the outgoing traffic
> was much, much, larger than incoming.
> Another thing reverse path filtering breaks is having a mobile IP
> address. Say you take your laptop with you --- it can be very useful to
> have a constant IP address, especially if you want to keep, e.g., a ssh
> connection open. That is fairly easily done by tunneling packets sent
> to that address to the actual IP of the laptop. Data sent out from the
> laptop is sent with the mobile IP address as source. No reason to
> tunnel it back, that just wastes bandwidth and slows things down more.
> Spoofed addresses are annoying. However, it's not really something that
> can be fixed. Please don't break useful features while failing....
I don't see how egress filtering prevents either scenario you
describe. Therefore I conclude that when I say egress filtering it
means something different than when you say egress filtering. in fact
I'm sure that you mean something else because you mention reverse path
filtering which isn't what I'm talking about.
If you are an ISP, and you are not a transit AS, then at some point in
your network you know that on one side of a device are "your"
addresses, and on the other side are "not your" addresses. Thus you
can set an ACL which prevents your customers from spoofing.
If you are a transit AS things get more interesting; you can still
apply ACLs but you have to make sure you know what you're doing.
Here's a concrete example: I used to work for a cable ISP. We had a
/18 that we doled out to customers. At each router that connected to
the Internet (via some provider) we dropped outgoing packets that
didn't come from our /18, and dropped incoming packets that purported
to come from our /18.
Again, note that I am talking about what ISPs can do to stop spoofing.
In fact, ingress/egress filters are the only filtering an ISP should
do, IMO. ISPs which filter port 80, port 25, force traffic through a
proxy, etc. are evil and ususally end up breaking something.
Nathan Norman - Micromuse Ltd. mailto:firstname.lastname@example.org
Q: What's the difference between a computer salesman and a used
A: A used car salesman knows when he's lying.