no ip forged-source-address

Wed Oct 30 22:00:14 UTC 2002

At 12:09 PM 10/30/2002, you wrote:
>  "daniel" == Daniel Senie <dts at senie.com> writes:
>
>daniel> If the government or other large buyers require network-wide
>daniel> ingress filtering in any supplier they buy from (something I
>daniel> suggested to the folks at eBay, Schwab, etc. in our phone
>daniel> calls after the attacks a few years ago), or if there were
>daniel> legal incentive, there might be a chance ISPs would find a
>daniel> financial motive to implement BCP 38. As it is, there's no
>daniel> incentive, so the path of least resistance is to do nothing.
>
>I find it interesting that you suggest that the legal incentive should
>be toward having the ISPs come up with a magic solution and not toward
>having the customers do egress filtering at the edge(s) of their
>network and actually perform something resembling security on the
>hosts on their networks.

What I suggested was a financial OR legal incentive.

>After all, it is not usually a security failing of the ISP that causes
>a DoS or DDoS attack, but utter incompetence or neglect by someone at
>the edge of the network.

That's a question of perspective. Arguably both the ISP and the end user 
are responsible. The ISP is often in the role of managing the CPE router, 
and thereby has control over the router where ingress/egress filtering is 
most easily implemented with simple access control lists.

>   The problem is that it's those same people
>who have the money needed to keep the ISPs in business.  Unless
>all ISPs decided to hold the customers responsible, they'd just move
>to another ISP.

Or unless customers refuse to buy from anyone who doesn't do ingress 
filtering, resulting in a financial incentive for the ISP.

>I'm not saying I don't think ISPs should filter where feasible, I'm
>just saying that if we're going to hold someone responsible, it should
>be the people who are responsible, not the people who are convenient.

I find it interesting that some ISPs have no trouble taking care of ingress 
filtering, while others bellyache about how hard and expensive it is. 
Another nanog participant commented ATT implemented this starting in 1995. 
A UUNet person was the most vocal opponent to the draft that became RFC 
2267 (over concern that the Cisco 7000's in use then would not handle the 
load). Six years later, ATT's network seems to do OK. Did UUNet ever do 
anything about it? Buy gear sized properly to do it? UUNet gives away 
2610's with leased lines. Do they come pre-configured to do ingress 
filtering even?

The question for the ISP is how it will defend itself when summoned to 
court. The ISP had the tools to ensure spoof attacks could not come from 
its network, yet chose not to. The customer likely would also face the 
negligence charge. The plaintiff would be the customer of another ISP whose 
business was severely injured. The question is whether you want to, in 
court, tell the judge "my customer was an idiot. Blame them, it's not my 
fault." You might even get away with it, but I suspect you would lose your 
customer base pretty quickly thereafter.

The S in ISP stands for SERVICE. You're providing a service to your 
customers. Helping those customers stay out of trouble, whether it's by 
selling them a firewall service, or managing their CPE router, or just 
providing ingress filtering, is part of what service is about.

I'm not surprised that major backbone providers still complain about 
ingress filtering. I am a bit surprised no lawsuits have get cited BCP 38.