no ip forged-source-address

• Previous message (by thread): no ip forged-source-address
• Next message (by thread): no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 "daniel" == Daniel Senie <dts at senie.com> writes:

daniel> If the government or other large buyers require network-wide
daniel> ingress filtering in any supplier they buy from (something I
daniel> suggested to the folks at eBay, Schwab, etc. in our phone
daniel> calls after the attacks a few years ago), or if there were
daniel> legal incentive, there might be a chance ISPs would find a
daniel> financial motive to implement BCP 38. As it is, there's no
daniel> incentive, so the path of least resistance is to do nothing.

I find it interesting that you suggest that the legal incentive should
be toward having the ISPs come up with a magic solution and not toward
having the customers do egress filtering at the edge(s) of their
network and actually perform something resembling security on the
hosts on their networks.

After all, it is not usually a security failing of the ISP that causes
a DoS or DDoS attack, but utter incompetence or neglect by someone at
the edge of the network.  The problem is that it's those same people
who have the money needed to keep the ISPs in business.  Unless
all ISPs decided to hold the customers responsible, they'd just move
to another ISP.

I'm not saying I don't think ISPs should filter where feasible, I'm
just saying that if we're going to hold someone responsible, it should
be the people who are responsible, not the people who are convenient.


but my opinions are probably worthless,
Michael

• Previous message (by thread): no ip forged-source-address
• Next message (by thread): no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]