an effect of ignoring BCP38

David Sinn dsinn at dsinn.com
Fri Sep 5 22:36:42 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think you will get any argument that the vast majority of CS  
departments teach theory and not as much valid practice when it comes  
to networking.  Though, being formally at the UW, I can tell you that  
they wouldn't have been able to spoof on the campus or through it's  
upstream (which we also ran).

That being said, I think another area that BCP38 is going to run into  
problems with is IPv6.  Given that host are multi-addressed from day  
one and nominally follow a default route for returning traffic, they  
can easily appear to "spoof" perfectly valid traffic (6to4 in, native  
out for example).  While some can be made as exceptions (6to4), some  
won't be done so easily without some implementation changes.

And that's not even touching on the holes in RPF checks on Cisco (no  
feasible) or Juniper (not quite as feasible as is really feasible)  
platforms.

David

On Sep 4, 2008, at 10:22 PM, bmanning at vacation.karoshi.com wrote:

>
>
> seems that some folks in the R&E community, with institutional support
> from Cisco, Google, and the US NSF, are exploiting our inability to
> take even rudimentary steps toward providing a level of integrity in
> routing by teaching students that spoofing IP space is ok.  This whole
> thing works at all because so few people use/deploy/maintain BCP-38
> compliance.  This was an eye-opener for me.
>
> http://www.caida.org/workshops/wide/0808/slides/measuring_reverse_paths.pdf
>
>
> --bill

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkjBtHoACgkQLa9jIE3ZamPYzQCgu2OdDu8/Uq896ffcJZjSX7X8
6jgAnR7iZFiRAsxN6+qn64ZVYIcNy1hy
=E20v
-----END PGP SIGNATURE-----




More information about the NANOG mailing list