nanog mailing list archives
Re: uRPF-based Blackhole Routing System Overview
From: "Thomas Kernen" <tkernen () deckpoint ch>
Date: Tue, 18 Nov 2003 22:16:16 +0100
Catching up on the thread.. vendor C also calls it "IP Source-guard" on the Cat 4K in IOS. And it acually works quite well (does require DHCP snooping). T ----- Original Message ----- From: "Scott McGrath" <mcgrath () fas harvard edu> To: <nanog () merit edu> Sent: Wednesday, November 12, 2003 5:17 PM Subject: Re: uRPF-based Blackhole Routing System Overview
Vendor C calls it DHCP snooping and to the best of my knowledge it is only available under IOS not CatOS Scott C. McGrath On Fri, 7 Nov 2003, Greg Maxwell wrote:On Fri, 7 Nov 2003, Robert A. Hayden wrote: [snip]One final note. This system is pretty useless for modem pools, VPN concentrators, and many DHCP implementations. The dynamic IP nature
of
these setups means you will just kill legitimate traffic next time
someone
gets the IP. You can attempt to correlate your detection with the
time
they were handed out, of course, in the hopes you find them.Another approach to address this type of problem is the source spoofing preventing dynamic-acls support that some vendors have been adding to their products. I don't know if it's in anyone's production code-trains yet. The basic idea is that your switch snoops DHCP traffic to the port and generates an ACL based on the address assigned to the client. Removing a host is as simple as configuring your DHCP server to ignore it's
requests
and perhaps sending a crafty packet (custom written DECLINE) to burp the existing ACL out of the switch. Vendor F calls this feature "Source IP Port Security", I'm not sure what vendor C calls it. Since this is a layer 2 feature you can configure it far out on the edge and not just at the router.
Current thread:
- uRPF-based Blackhole Routing System Overview Robert A. Hayden (Nov 07)
- Re: uRPF-based Blackhole Routing System Overview Kevin C Miller (Nov 07)
- Re: uRPF-based Blackhole Routing System Overview Greg Maxwell (Nov 07)
- Re: uRPF-based Blackhole Routing System Overview Scott McGrath (Nov 12)
- Re: uRPF-based Blackhole Routing System Overview Thomas Kernen (Nov 18)
- Re: uRPF-based Blackhole Routing System Overview Scott McGrath (Nov 12)