[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-grip-isp-00.txt now available

To: randy@psg.com
Subject: Re: draft-ietf-grip-isp-00.txt now available
From: Phil Karn <karn@qualcomm.com>
Date: Mon, 20 Oct 1997 09:04:54 -0700 (PDT)
Cc: tomk@nwnet.net, grip-wg@UU.NET
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
In-reply-to: <m0xNIQZ-0007zWC@rip.psg.com> (message from Randy Bush on Mon, 20Oct 97 07:03 PDT)

>>    To prevent attacks that rely on forged source addresses ISPs should 
>>    proactively filter at the boundary router with each of their customers 
>>    all traffic that has a source address of something other than the 
>>    addresses that have been assigned to that customer.  (It's
>>    regrettable that major router vendors don't make the application of
>>    such filters the default behaviour).

>Major ISPs with large overloaded aggregation routers seem hesitant to do
>this.  Why?

Not only that, but source address filtering is far more of a pain in
the ass for the legitimate user than a meaningful impediment to an
attacker.  For example, Time Warner's Road Runner cable modem service
here in San Diego implements source address filtering. But my home
network is dual-homed between RR and a ISDN dialup to Qualcomm. To
evade this filter and the many problems it causes, I set up a "tunnel"
machine on Qualcomm's DMZ and IP-in-IP encapsulate all my default
outbound traffic. Needless to say, the presence of even one such
tunnel machine on the Internet makes it possible for anyone to evade
his or her ISP's source address filter.

And, as we've heard, source address filtering either breaks Mobile IP
or requires the use of IP-in-IP tunneling in both directions (which
creates even more tunnel systems on the net.)

There are much better solutions to the TCP syn flooding attack than IP
source address filtering. It's just a bad idea. The end system fix is
the only true path to security.

>>    There is no justification for any mail relay on the Internet being left
>>    completely open

>Seems a pretty absolutist statement.  Too early to think of counterexamples,
>but I am sure someone can.

Sure. How about SMTP relay servers set up for the use of traveling
Eudora users?  Eudora cannot resolve MX records and deliver mail
directly; it tosses all its outbound mail on a friendly local SMTP
relay site, traditionally a UNIX box running sendmail.  While such a
relay can be protected from spammers by being placed inside a
corporate firewall, this doesn't help users travelling outside the
firewall. True, it's possible and desirable to set up a TCP forwarding
tunnel with SSH for your POP and SMTP connections, but that doesn't
mean there isn't a legitimate reason to leave a mail relay open.

>>    Sanctions for running an open mail relay should be covered in an ISP's 
>>    AUP.

>Are you suggesting that an ISP should act against a customer who runs an
>open relay?  This is not the way the internet is run today.

Agreed. When an open mail relay host gets discovered by the spammers,
the main victim is the mail relay operator himself. That's usually
plenty of incentive to turn off relaying.

Phil

Follow-Ups:
- Re: draft-ietf-grip-isp-00.txt now available
  - From: "Mike O'Dell" <mo@UU.NET>
- Re: draft-ietf-grip-isp-00.txt now available
  - From: Tom Killalea <tomk@nwnet.net>

References:
- Re: draft-ietf-grip-isp-00.txt now available
  - From: Randy Bush <randy@psg.com>

Prev by Date: Re: draft-ietf-grip-isp-00.txt now available
Next by Date: Re: draft-ietf-grip-isp-00.txt now available
Previous by thread: Re: draft-ietf-grip-isp-00.txt now available
Next by thread: Re: draft-ietf-grip-isp-00.txt now available
Index(es):
- Date
- Thread