BCP38 making it work, solving problems

alex at yuriev.com alex at yuriev.com
Tue Oct 12 16:49:54 UTC 2004

> uPRF is only one of several ways to implement BCP38.  you could do it with
> contracts and reverse-SLA's and thus no technology (on your side) at all:
> demand that a customer pay 10X his bill, or $1.00 per packet, whichever is
> lower, if they emit packets with source addresses no explicitly named in
> the contract.  why pay for expensive upgrades on your end of the link, when
> all you really care about is that BCP38's rules are observed?

No reasonably sized provider is going to do that. There is too much
competition, most of which is based on price. Until the companies creating
the price pressure die (as in die completely, not re-emerge under a new,
slightly different name), there is going to be no financial insentive for
anyone to spend money improving their network. Let me underline, I am not
talking about smaller ISPs, smaller networks or smaller service providers.

> that is of course good news.  but it demonstrates a pitfall in CFO-think,
> which is the belief that participating in assymetric cost:benefit efforts
> (where uunet bears the cost of an upgrade in order for all the non-uunet
> parts of the internet to get the benefit of less spoofed traffic, and the
> abuse incident costs don't drop nearly enough to pay for the upgrades) is
> essentially a selfless act.

Rubbish. CFO speak is what keeps the companies alive. Engineer-speak
typically lands the company in chapter 11. Companies in Chapter 11 have too
many operational decisions dictated by the courts, and those that think CFO
speak would greally hate to hear courts on the topic.

> we all want cleaner ddos flows.  when we get ddos'd, we want to be able to
> look at the source addresses, look 'em up in whois, and call the launch-isp,
> and get things stopped.  we want to be able to turn on flow shaping and
> know that an attacker can't cause us to use an arbitrarily large number of
> buckets.  we *all* want these things.  even the bad guys, who are often the
> victim of ddos attacks by other bad guys, want these things.

It is possible that _nanog_ subscribers want this. I am not quite clear how
one can make that generalization about those behind kor.net, those in .ru,
.ua etc. Finally, 

> how are we going to get there?  the first thing is, some nets who want the
> internet to work this way have to implement BCP38 in their own corner of the
> internet.  then they have to start de-peering with nets who don't do it, and
> offer a better rate to customers who do it than to those who don't.  then
> they have to de-peer with anyone who doesn't require their peers and customers
> to do it.  then they have to refuse as customers anyone who won't do it.

Last time I checked it was 2004, not 1998. The companies are financed by
revenues that they generate, not IPOs or VCs based on a promise of enormous
payoff sometime down the road. Cash is the king.  

> it's all very simple, and it's inevitable.  you and your CFO's have a couple
> of choices to make.  first thing is, do you want the insurance companies,
> government regulatory agencies, and ISO9000 people to be making these rules
> or do you want to make them at the technical and business level? 

Yes, I do. This will level playing field and hopefully force a few of the
big networks out of business completely, decreasing price pressure on this
service. A drop in the price pressure will create an opportunity for those
companies to spend the money (should they want to or be forced to) to be
better internet citizens.

This is just the cold blooded economic reality. The same reality which
dictates that only smaller companies can enfore strict anti-spam policies,
and prevent their customers from behaving badly.


More information about the NANOG mailing list