BCP38 making it work, solving problems

JP Velders jpv at veldersjes.net
Tue Oct 19 17:30:13 UTC 2004


> Date: Tue, 19 Oct 2004 13:20:08 -0400
> From: David G. Andersen <dga at lcs.mit.edu>
> Subject: Re: BCP38 making it work, solving problems

> [ ... ]
> Unless you're worried about an adversary who taps into your
> fiber, how is MD5 checksums any better than anti spoofing filters
> that protect your BGP peering sessions?  The only benefit I see is
> that you can actually verify that your peer is using md5 checksums,
> instead of having to take them on faith that they won't permit
> someone to spoof their router's address.

How much control do 'they' have over the ways 'someone' can spoof ?
With large providers who don't see any harm in allowing possibly
spoofed traffic through, you cannot exclude the possibility that an
ISP connected to an IX "leaks" those spoofed packets onto the IX.
(or leaks RFC1918 space... I know of a few examples / mails ;D)

In the current world - where you cannot exclude either one - you're
much better off 'safe' then 'sorry'... Implementing BCP38 (to come
back on-topic) is just plain good neighbourhood policy. I don't go
building 2.5 meter tall fences around my house because I don't want my
neighbour's plants in my garden. No, we come to an understanding that
whenever his plants get out of control in my garden I can cut them
back, but that he will also trim them more often.

In most cases it will go like that, the minority of when it doesn't
go like that, you start filtering / whatever, just like we do now.

Regards,
JP Velders



More information about the NANOG mailing list