an effect of ignoring BCP38

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Sep 8 15:47:53 UTC 2008


On Sat, 06 Sep 2008 06:49:05 PDT, k claffy said:
> 
> do that many networks really allow spoofing?  i used
> to think so, based on hearsay, but rob beverly's
> http://spoofer.csail.mit.edu/summary.php suggests
> things are a lot better than they used to be, arbor's
> last survey echos same.  are rob's numbers inconsistent
> with numbers anyone else believes to be true?

You can easily have a network configuration where 95% of the networks
do very stringent BCP38 on their customer-facing connections, but the
spoofing sources are carefully chosen to be within the 5% of places that
aren't filtering...

Plus, there's nothing that says that a network can't do BCP38 on 99.998%
of its ports, but has a punchout for the 3 or 4 ports that need it for
network monitoring/research.  So a network could be reported as "non-spoofable"
to the MIT project, *and* still provide a sensor machine for the reverse
path project...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080908/c10557cd/attachment.sig>


More information about the NANOG mailing list