The original point was that a leaf network might find itself sued if it allows packets to leave with a bogus source IP address. Perhaps we should write-up a RFC about leaf networks restricting outgoing packets with egress filtering. It wouldn't completely stop DDoS but it would make the AOL/EarthLink/Home etc.. networks much less likely to be sources of spoofed packets. Cable modems are in the 24.0.0.0/8 and 65.0.0.0/10 IP space. If they only allowed those IP's to leave, cable modems wouldn't be used for DDoS other than to cable modem customers. And even if the source address were forged to be another cable modem address, it would still make back tracing a lot easier because one would start at the cable network border routers rather than every possible backbone connection. If an ISP is ferrying traffic, it should be doing ingress filtering on input so that egress filtering is not necessary for backbone routers but only leaf routers. It is not a perfectly simple problem but I believe it is as solvable as BGP routing. -----Original Message----- From: firewalls-owner@Lists.GNAC.NET [mailto:firewalls-owner@Lists.GNAC.NET]On Behalf Of dgillett@deepforest.org Sent: Sunday, June 10, 2001 08:27 To: firewalls@Lists.GNAC.NET Subject: RE: This is a must read document. It will freak you out Egress filtering at border points is appropriate for leaf networks. Many ISPs, though, also ferry third-party traffic between their peering points; it would be inappropriate for them to accept traffic that an egress rule elsewhere will prevent them from delivering. This isn't to day that it can't or shouldn't be done, only that determining how much filtering should be done, and at which routers, may be less simple for multi-homed ISPs than it sounds. David Gillett On 9 Jun 2001, at 21:16, Paul D. Robertson wrote: > On Sat, 9 Jun 2001, Bill Royds wrote: > > > Note: RFC 2267 has been superseded by RFC 2827 > > Thanks, I had indeed missed that. > > > > > You are correct, RFC2827 is not a standard but it is a Best Current > > Practice (BCP0038) which could be used as a precedent in a lawsuit if > > it came to that. RFC2827 is about ingress filtering for backbones > > rather than egress filtering for ISP's but the rules are similar. It > > is just which side of the peering point you are looking at. Egress > > filtering would require a lot less horsepower then ingress filtering > > because the border router already has routing tables for what IP > > blocks it accepts traffic. Using this on source address of outgoing > > traffic adds not much more memory overhead (although it does add more > > CPU cost). This is just applying routing rules to outgoing traffic as > > well as incoming traffic rather than doing any censoring. > > The golden rule of egress filtering: Only allow packets out of your > > network with source IP address that you would allow in. > > > > So, since we seem to be in basic agreement here- is there anyone who can > come up with a significant impediment to mandatory egress filtering rules > other than getting buy-in (ISO layer 8 issues)? > > Paul > ----------------------------------------------------------------------------- > Paul D. Robertson "My statements in this message are personal opinions > proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]