[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-grip-isp-00.txt now available



>==> From: Tom Killalea
>
>>    In addition, ISPs should filter (and optionally log) all traffic with
>>    source addresses from the address space allocated for private
>>    Internets.
>
>Please re-read my previous comment on this paragraph. This is 
>partially superfluous, and otherwise too vague. 

You're right - I've now removed this from 4.2, the section on Ingress 
Filtering on Source Address.

I think it makes sense to retain a reference to private addresses in
section 5, and specifically I've added a new sub-section as follows:

5.6 Route Filtering

   Excessive routing updates can be leveraged by an attacker as a base
   load on which to build a Denial of Service attack.  At the very least
   they will result in performance degradation.
   
   ISPs should filter the routing announcements they hear, for example
   to ignore routes to addresses allocated for private Internets, to
   avoid bogus routes and to implement route dampening and aggregation
   policy.
   
   ISPs should implement techniques that reduce the risk of putting
   excessive load on routing in other parts of the network.  These
   include 'nailed up' routes, aggressive aggregation and route
   dampening, all of which lower the impact on others when your
   internal routing changes in a way that isn't relevant to them.

Tom.
--
Tom Killalea   (425) 649-7417    NorthWestNet
               tomk@nwnet.net