On Mon, 2013-04-01 at 11:17 -0700, John R Pierce wrote: > On 4/1/2013 6:11 AM, Michael H. Warfield wrote: > > it's also very important to implement BCP (Best Common Practice) 38. > > BCP 38 recommends router egress filtering. That is, you only route out > > what will route back in. That prevents you (or any of your customers) > > from being a spoofing source. > of course, this breaks a bunch of types of ad-hoc multihoming, where you > have multiple ISPs, each with their own subnets, and you're trying to > load balance your outbound traffic. It doesn't have to and it's just as easy to argue that stateful firewalls also break such configurations (they do). It is possible to interface your load leveling and dynamic routing into your filter if it's done properly. The point there is that you have to do it properly up front. Once it's done, it should require little maintenance. Unfortunately, if you have to go back into an established architecture and retrofit one in, that can be a difficult and time consuming prospect, especially if you didn't design the network to begin with. If you're dealing with multihoming and multiple ISPs then you should be talking BGP (or IS-IS) to your ISPs (I have my own ASN and advertise my own routes on IPv4 and IPv6 but you can use private ASNs and many ISPs will cooperate if you have the address space to advertise) and it should all be integrated. If you are trying to do ad-hoc mutihoming without using BGP or IS-IS to manage the routing to your ISPs, then I have no sympathy for you. That's just inviting a never ending stream of self-inflicted trouble and grief when routing breaks (been there, done that, not pretty). Being abused for DNS amplification attacks is the least of your problems then. Once we had multiple connections to the same ISP (redundant fiber links running in different directions out the street outside of our building) we were running BGP to manage it. But I also understand that in many large organizations (particularly ones who are NOT ISPs and their primary business is not networking) much of the IT staff is even more terrified of BGP than they are DNS and probably for good reasons. That's a statement from personal experience. Years ago, I asked for a "read-only BGP" feed from our IT department way back then (10 or 15 years ago) and got a "not no - hell no - are you insane?" answer. Their reasoning was that they trusted me (as if they had a choice) but they didn't trust all of their mainline minions (err, staff) to stick their fingers in those routers. BGP is so critical to those who rely on it (especially if you are multihomed) that, if someone makes even a minor mistake, it can disasterously disconnect you from the net or worse. Unfortunately, even worse than DNS, once it's working people (management) want you to LEAVE IT ALONE lest you beak it. So, most IT people are even less familiar with BGP than DNS and plenty are scared shitless about breaking DNS. DNS itself can be just as bad. Simple mistakes can be amplified and obfuscated. Just ask Microsoft. They got dropped off the net for days several years ago after someone misconfigured a firewall so their slaves couldn't talk to their master and the TTL (Time To Live) expired several hours after the guilty party was off duty and had gone home. On top of that, they had all their public name servers on the same subnet (violation of several BCPs going back decades) compounding the problem AND opening them up to a DOS against the router leading into that subnet. We (IETF, IEEE, ACM, etc al) can publish and update BCPs but it doesn't mean people will follow them. It does mean that we can say "we told you not to do that..." after it breaks. You pays your nickel and you takes your chance. :-/ > -- > john r pierce 37N 122W > somewhere on the middle of the left coast Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 482 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20130401/4232fedf/attachment-0005.sig>