Re: [mat-wg] [atlas] Spoofing the source IP address from a probe?
Alex Saroyan wrote on 7/18/13 8:53 AM:
Hi,
I think some hosts would like theirs probes to be used for "source IP spoofing" check, and only such probes could be used for this particular type of check. If RIPE Atlas team implement such features then probably many hosts will "enable" "Source IP spoofing check ability" on theirs probes and that can serve for community at the end.
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community. I understand that a certain percentage of probes is sitting behind NAT where spoofing won't work in most cases, but there is hopefully a significant number of probes that are connected directly. Regarding the problem itself we are tackling here, we published a follow up to the panel we held at RIPE66: http://www.internetsociety.org/doc/anti-spoofing-continuing-dialogue. Hope this helps raising awareness of the issue further.
Of course overall mechanism should be in a way not make anyone to suspect that probe can do spoofing by default or probe can do any harmful thing.
Agree, Andrei
Alex Saroyan
On 06/12/2013 10:37 PM, Daniel Karrenberg wrote:
On 12.06.2013, at 17:44 , Joe Provo <jzp-ripe@rsuc.gweep.net> wrote:
I would encourage those in the community who wish to be performing individual spoof testing (or instruct others how to do so) to use the easy-peasey pointy-clicky CAIDA/CSAIL tool: http://spoofer.cmand.org/ (also spoofer.csail.mit.edu, spooftest.net, etc etc) Seconded. Using this something like this is a conscious decision of the user. I have personally run Robert Beverley's probes regularly for many years and I am proud to say that both my broadband providers have never allowed source address spoofing. This involves a conscious decision on my part taking into account local network etiquette, my relation to my providers and the local legal situation. It is very very different from the RIPE community deciding to use RIPE Atlas to do this from my network.
Daniel
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community.
perhaps the probe owners are not the only parties with skin in the game and whose consent would be relevant? randy
Randy Bush wrote on 7/30/13 5:22 AM:
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community.
perhaps the probe owners are not the only parties with skin in the game and whose consent would be relevant?
I assume it will be also done with the consent of the address holder whose addresses are used for spoofing (e.g. from the RIPE NCC own address block). And spoofing violations will happen extremely rarely, a few packets per week, just to put this into perspective. Andrei
participants (2)
-
Andrei Robachevsky -
Randy Bush