nanog mailing list archives

Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]

From: Tony Tauber <ttauber () 1-4-5 net>
Date: Tue, 4 Feb 2014 17:14:40 -0500

On Tue, Feb 4, 2014 at 1:47 PM, <Valdis.Kletnieks () vt edu> wrote:


Can somebody explain to me why those who run eyeball networks are able
to block outbound packets when the customer hasn't paid their bill,
but can't seem to block packets that shouldn't be coming from that
cablemodem?


The DOCSIS spec has source address verification (as I understand it, for
about a decade.)
It is deployed within at least one large cable access provider network I am
familiar with (though I don't personally work on the DOCSIS side of things).

Why don't enterprises, hosting and cloud providers do it?  (I don't know
that they don't, but I figured I'd just keep with the tone.)
Enterprises know what prefixes they have so should drop outbound packets
with source IPs other than those, right?
Likewise hosting providers ought to put in some safeguards.
What about cloud providers who also provide virtual OSes and other
software?
Are those VMs and their third-party software kept patched?

All those folks also provide access at the network edge.

Tony

Current thread:

Re: Why won't providers source-filter attacks? Simple., (continued)
- - - Re: Why won't providers source-filter attacks? Simple. Randy Bush (Feb 05)
    - Re: Why won't providers source-filter attacks? Simple. Paul Ferguson (Feb 05)
    - Re: Why won't providers source-filter attacks? Simple. Randy Bush (Feb 05)
    - Re: Why won't providers source-filter attacks? Simple. Leo Bicknell (Feb 06)
    - POLL: BCP38 Name And Shame Jay Ashworth (Feb 05)
    - Message not available
    - Re: Why won't providers source-filter attacks? Simple. Mark Andrews (Feb 05)
    - Re: Why won't providers source-filter attacks? Simple. Randy Bush (Feb 05)
    - Re: Why won't providers source-filter attacks? Simple. Livingood, Jason (Feb 07)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Jay Ashworth (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] goemon (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Tony Tauber (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Randy Bush (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Livingood, Jason (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Octavio Alvarez (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Livingood, Jason (Feb 04)
    - RE: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Frank Bulk (Feb 04)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Livingood, Jason (Feb 05)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Christopher Morrow (Feb 05)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Robert Drake (Feb 06)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] Jay Ashworth (Feb 05)
    - Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?] joel jaeggli (Feb 05)

(Thread continues...)