Re: uRPF-based Blackhole Routing System Overview

["Thomas Kernen" <tkernen () deckpoint ch>]

Catching up on the thread.. vendor C also calls it "IP Source-guard" on the
Cat 4K in IOS. And it acually works quite well (does require DHCP snooping).

T

----- Original Message ----- 
From: "Scott McGrath" <mcgrath () fas harvard edu>
To: <nanog () merit edu>
Sent: Wednesday, November 12, 2003 5:17 PM
Subject: Re: uRPF-based Blackhole Routing System Overview


> Vendor C calls it DHCP snooping and to the best of my knowledge it is only
> available under IOS not CatOS
>
>
>                             Scott C. McGrath
>
> On Fri, 7 Nov 2003, Greg Maxwell wrote:
>
> > On Fri, 7 Nov 2003, Robert A. Hayden wrote:
> >
> > [snip]
> > > One final note.  This system is pretty useless for modem pools, VPN
> > > concentrators, and many DHCP implementations.  The dynamic IP nature
of
> > > these setups means you will just kill legitimate traffic next time
someone
> > > gets the IP.  You can attempt to correlate your detection with the
time
> > > they were handed out, of course, in the hopes you find them.
> >
> > Another approach to address this type of problem is the source spoofing
> > preventing dynamic-acls support that some vendors have been adding to
> > their products. I don't know if it's in anyone's production code-trains
> > yet.
> >
> > The basic idea is that your switch snoops DHCP traffic to the port and
> > generates an ACL based on the address assigned to the client. Removing a
> > host is as simple as configuring your DHCP server to ignore it's
requests
> > and perhaps sending a crafty packet (custom written DECLINE) to burp the
> > existing ACL out of the switch.
> >
> > Vendor F calls this feature "Source IP Port Security", I'm not sure what
> > vendor C calls it.
> >
> > Since this is a layer 2 feature you can configure it far out on the edge
> > and not just at the router.