[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-grip-isp-00.txt now available
- To: Don Stikvoort <Don.Stikvoort@surfnet.nl>
- Subject: Re: draft-ietf-grip-isp-00.txt now available
- From: Tom Killalea <tomk@nwnet.net>
- Date: Thu, 30 Oct 1997 09:47:57 -0800
- Cc: grip-wg@UU.NET
- Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
- In-reply-to: Your message of Thu, 30 Oct 1997 14:24:52 +0100. <"surah.surfne:131910:971030132510"@surfnet.nl>
>==> From: Tom Killalea
>
>> In addition, ISPs should filter (and optionally log) all traffic with
>> source addresses from the address space allocated for private
>> Internets.
>
>Please re-read my previous comment on this paragraph. This is
>partially superfluous, and otherwise too vague.
You're right - I've now removed this from 4.2, the section on Ingress
Filtering on Source Address.
I think it makes sense to retain a reference to private addresses in
section 5, and specifically I've added a new sub-section as follows:
5.6 Route Filtering
Excessive routing updates can be leveraged by an attacker as a base
load on which to build a Denial of Service attack. At the very least
they will result in performance degradation.
ISPs should filter the routing announcements they hear, for example
to ignore routes to addresses allocated for private Internets, to
avoid bogus routes and to implement route dampening and aggregation
policy.
ISPs should implement techniques that reduce the risk of putting
excessive load on routing in other parts of the network. These
include 'nailed up' routes, aggressive aggregation and route
dampening, all of which lower the impact on others when your
internal routing changes in a way that isn't relevant to them.
Tom.
--
Tom Killalea (425) 649-7417 NorthWestNet
tomk@nwnet.net