Spoofing the source IP address from a probe?
I read in the interesting <http://www.internetsociety.org/blog/2013/06/can-we-stop-ip-spoofing-internet> about BCP38 (anti-spoofing):
Another possibility that was suggested is using RIPE Atlas probes to probe network capabilities (or shall we say incapabilities?).
AFAIK, Atlas probes cannot currently perform these tests, am I correct?
On 12.06.2013, at 16:53 , Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
I read in the interesting <http://www.internetsociety.org/blog/2013/06/can-we-stop-ip-spoofing-internet> about BCP38 (anti-spoofing):
Another possibility that was suggested is using RIPE Atlas probes to probe network capabilities (or shall we say incapabilities?).
AFAIK, Atlas probes cannot currently perform these tests, am I correct?
No they cannot. It is a matter of policy first and foremost. It is too easy to loose the trust of the probe hosts and to get a bad name with providers if we have the probes do stuff that is as questionable as source address spoofing. Personally I am very much against probes spoofing source addresses. In my personal judgement the risk of loosing a significant number of probes is not at all justified by the potential benefit of doing spoofing measurements. As RIPE NCC chief scientist I am of the opinion that if the community decides to do such tests despite the risk to RIPE Atlas, then we can only do this with explicit permission from the host concerned. Daniel
No they cannot. It is a matter of policy first and foremost. It is too easy to loose the trust of the probe hosts and to get a bad name with providers if we have the probes do stuff that is as questionable as source address spoofing.
<aol> thank you randy
On Wed, Jun 12, 2013 at 05:35:54PM +0200, Randy Bush wrote:
No they cannot. It is a matter of policy first and foremost. It is too easy to loose the trust of the probe hosts and to get a bad name with providers if we have the probes do stuff that is as questionable as source address spoofing.
<aol>
thank you
To be fair, it was discussed at ripe66 and there was an open question as to wether malformed traffic testing of any type would be of value (even on an opt-in basis). Arguably, address forgery is a subtype of malformed traffic. I would encourage those in the community who wish to be performing individual spoof testing (or instruct others how to do so) to use the easy-peasey pointy-clicky CAIDA/CSAIL tool: http://spoofer.cmand.org/ (also spoofer.csail.mit.edu, spooftest.net, etc etc) -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NANOG
On 12.06.2013, at 17:44 , Joe Provo <jzp-ripe@rsuc.gweep.net> wrote:
I would encourage those in the community who wish to be performing individual spoof testing (or instruct others how to do so) to use the easy-peasey pointy-clicky CAIDA/CSAIL tool: http://spoofer.cmand.org/ (also spoofer.csail.mit.edu, spooftest.net, etc etc)
Seconded. Using this something like this is a conscious decision of the user. I have personally run Robert Beverley's probes regularly for many years and I am proud to say that both my broadband providers have never allowed source address spoofing. This involves a conscious decision on my part taking into account local network etiquette, my relation to my providers and the local legal situation. It is very very different from the RIPE community deciding to use RIPE Atlas to do this from my network. Daniel
Hi, I think some hosts would like theirs probes to be used for "source IP spoofing" check, and only such probes could be used for this particular type of check. If RIPE Atlas team implement such features then probably many hosts will "enable" "Source IP spoofing check ability" on theirs probes and that can serve for community at the end. Of course overall mechanism should be in a way not make anyone to suspect that probe can do spoofing by default or probe can do any harmful thing. Alex Saroyan On 06/12/2013 10:37 PM, Daniel Karrenberg wrote:
On 12.06.2013, at 17:44 , Joe Provo <jzp-ripe@rsuc.gweep.net> wrote:
I would encourage those in the community who wish to be performing individual spoof testing (or instruct others how to do so) to use the easy-peasey pointy-clicky CAIDA/CSAIL tool: http://spoofer.cmand.org/ (also spoofer.csail.mit.edu, spooftest.net, etc etc) Seconded. Using this something like this is a conscious decision of the user. I have personally run Robert Beverley's probes regularly for many years and I am proud to say that both my broadband providers have never allowed source address spoofing. This involves a conscious decision on my part taking into account local network etiquette, my relation to my providers and the local legal situation. It is very very different from the RIPE community deciding to use RIPE Atlas to do this from my network.
Daniel
Alex Saroyan wrote on 7/18/13 8:53 AM:
Hi,
I think some hosts would like theirs probes to be used for "source IP spoofing" check, and only such probes could be used for this particular type of check. If RIPE Atlas team implement such features then probably many hosts will "enable" "Source IP spoofing check ability" on theirs probes and that can serve for community at the end.
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community. I understand that a certain percentage of probes is sitting behind NAT where spoofing won't work in most cases, but there is hopefully a significant number of probes that are connected directly. Regarding the problem itself we are tackling here, we published a follow up to the panel we held at RIPE66: http://www.internetsociety.org/doc/anti-spoofing-continuing-dialogue. Hope this helps raising awareness of the issue further.
Of course overall mechanism should be in a way not make anyone to suspect that probe can do spoofing by default or probe can do any harmful thing.
Agree, Andrei
Alex Saroyan
On 06/12/2013 10:37 PM, Daniel Karrenberg wrote:
On 12.06.2013, at 17:44 , Joe Provo <jzp-ripe@rsuc.gweep.net> wrote:
I would encourage those in the community who wish to be performing individual spoof testing (or instruct others how to do so) to use the easy-peasey pointy-clicky CAIDA/CSAIL tool: http://spoofer.cmand.org/ (also spoofer.csail.mit.edu, spooftest.net, etc etc) Seconded. Using this something like this is a conscious decision of the user. I have personally run Robert Beverley's probes regularly for many years and I am proud to say that both my broadband providers have never allowed source address spoofing. This involves a conscious decision on my part taking into account local network etiquette, my relation to my providers and the local legal situation. It is very very different from the RIPE community deciding to use RIPE Atlas to do this from my network.
Daniel
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community.
perhaps the probe owners are not the only parties with skin in the game and whose consent would be relevant? randy
On Tue, Jul 30, 2013 at 11:22 AM, Randy Bush <randy@psg.com> wrote:
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community.
perhaps the probe owners are not the only parties with skin in the game and whose consent would be relevant?
Exactly. I host probes, and since you are spoofing others, we need to ask them. How you do this is left as an exercise to the reader. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane
Randy Bush wrote on 7/30/13 5:22 AM:
I support this point of view. I think controlled (anti-)spoofing measurements performed by the RIPE NCC with the consent of participating probes would be a good service to the community.
perhaps the probe owners are not the only parties with skin in the game and whose consent would be relevant?
I assume it will be also done with the consent of the address holder whose addresses are used for spoofing (e.g. from the RIPE NCC own address block). And spoofing violations will happen extremely rarely, a few packets per week, just to put this into perspective. Andrei
On Wed, Jun 12, 2013 at 05:30:21PM +0200, Daniel Karrenberg wrote:
No they cannot. It is a matter of policy first and foremost. It is too easy to loose the trust of the probe hosts and to get a bad name with providers if we have the probes do stuff that is as questionable as source address spoofing.
thanks.
As RIPE NCC chief scientist I am of the opinion that if the community decides to do such tests despite the risk to RIPE Atlas, then we can only do this with explicit permission from the host concerned.
as a host my understanding is that the Atlas network exists to generate a view of "the Internet" from a variety of vantage points. A spoofing test (and other tests that have been discussed) would rather explore specific aspects of the respective hosts' network. There's really a fine line. -Peter
No they cannot. It is a matter of policy first and foremost. It is too easy to loose the trust of the probe hosts and to get a bad name with providers if we have the probes do stuff that is as questionable as source address spoofing.
Personally I am very much against probes spoofing source addresses. In my personal judgement the risk of loosing a significant number of probes is not at all justified by the potential benefit of doing spoofing measurements.
As RIPE NCC chief scientist I am of the opinion that if the community decides to do such tests despite the risk to RIPE Atlas, then we can only do this with explicit permission from the host concerned.
Daniel
This is the wrong approach above to take from a ISP sysadmin perspective. What should be done is Router(CBAC correct packet source address checking), ideally on the sysadmin leaf routers if such routers are implemented or on the core routers. You only want good traffic getting to service machines to make network traffic usage worthwhile. A good network provider will implement source address checking as they value the network usage. Customer end devices are a good point to check for packet source checking as botnet machines frequently utiliize home machines, feel free for my probe to be used as anything which can improve good network traffic usage in the age of cutbacks of money is useful. Colin Johnston
participants (9)
-
Alex Saroyan -
Andrei Robachevsky -
Colin Johnston -
Daniel Karrenberg -
Joe Provo -
Peter Koch -
Randy Bush -
Sanjeev Gupta -
Stephane Bortzmeyer