Opened 17 months ago

Closed 17 months ago

Last modified 13 months ago

#1112 closed task (fixed)

source IP address spoofing from AS56554 (IETF meeting network)

Reported by: mjl@… Owned by: jim@…
Priority: tbd Milestone: ietf-099
Component: network Keywords:
Cc: My Current Location:
My MAC Address: My OS:

Description

Hi,

While reviewing recent public tests from the CAIDA spoofer client

https://www.caida.org/projects/spoofer/

I came across one involving the IETF meeting network.  It seems that
based on the testing history for AS56554, there is inadequate filtering
of IPv6 packets with invalid source addresses, so packets with spoofed
source addresses can leave your network.  These systems can
participate in volumetric denial of service attacks.

https://spoofer.caida.org/recent_tests.php?as_include=56554

Matthew

signature.asc

Attachments (2)

signature.asc (204 bytes) - added by mjl@… 17 months ago.
Added by email2trac
signature-1.asc (163 bytes) - added by mjl@… 17 months ago.
Added by email2trac

Download all attachments as: .zip

Change history (8)

Changed 17 months ago by mjl@…

Attachment: signature.asc added

Added by email2trac

comment:1 Changed 17 months ago by llynch@…

Component: incomingnetwork
Owner: changed from < default > to jim@…
Status: newassigned
Type: requesttask

Jim -

I'll let you assign this one -

  • Lucy

comment:2 Changed 17 months ago by jim@…

Matthew,

Ironically, I think it's the spoofer client on my laptop that reported that. I kicked it off when we started the network build, and I saw v4 pass, and missed going back to check for v6. I'll have the routing team look into it, but we need to be very conservative in changes once the meetings start.

Thanks very much for pointing this out!

  • Jim

comment:3 Changed 17 months ago by jim@…

Resolution: fixed
Status: assignedclosed

Matthew,

Looks like the v6 BCP38 filter was disabled on one of our external routers during some debugging during setup. We've reenabled it and things look good. See https://spoofer.caida.org/report.php?sessionkey=lr66t7puz8dza8

Thanks for the nudge! Closing this ticket, but a reply will reopen.

  • Jim

comment:4 in reply to:  5 Changed 17 months ago by mjl@…

Resolution: fixed
Status: closedreopened
Hi Jim,

Thanks for supporting the project by installing the spoofer client, much
appreciated.  I actually tried to report this last week before the IETF
meeting but the email bounced because the ticket system wasn't open.
Can the ticket system can open earlier next time?

Any chance you can be convinced to attend opsec on Wednesday and argue
for better SAV defaults?

https://www.ietf.org/proceedings/99/agenda/agenda-99-opsec-01.html

Matthew

signature-1.asc

Changed 17 months ago by mjl@…

Attachment: signature-1.asc added

Added by email2trac

comment:5 Changed 17 months ago by jim@…

Resolution: fixed
Status: reopenedclosed

I'll see if I can make it to OPSEC. Thanks for the encouragement!

Resolving

  • Jim

comment:6 Changed 13 months ago by Rick Alfvin

Milestone: ietf-99ietf-099

Milestone renamed

Note: See TracTickets for help on using tickets.