BCP38 making it work, solving problems

Thu Oct 14 10:48:24 UTC 2004

> At 12:01 PM 10/13/04 +0200, Iljitsch van Beijnum wrote:
> >Trusting the source when it says that its packets aren't evil might be 
> >sub-optimal. Evaluation of evilness is best left up to the receiver.
> 
> Likely true. Next question is whether the receiver can really determine 
> that in real time. For some things, yes, but for many things it is not 
as 
> obvious to me. 

Correct me if I'm wrong here, but my interpretation of this
suggestion was not that we should trust the source to mark
packets but that we should trust our peers to mark packets.

This seems to be something that is workable since most people
have a manageable number of peers. Presumably each peer could
mark the traffic based on what they know about their customer's
network. If a customer follows all best practices, they mark it
with the non-evil bit, otherwise not. If truly evil traffic is
coming in from a peer, then one could apply mitigating actions
only to traffic that is not marked non-evil, either blackholing
it all or diverting it to a router that will perform complex
filtering or heavily rate limiting it.

It seems to me that really addressing DDOS, botnets, etc., 
requires network operators to agree on some sort of common
coordinated action and using a network protocol to communicate
about this coordinated action would be very useful.

This doesn't mean that the non-evil bit is the only way,
but the idea of network operators marking traffic in some
way to indicate their level of confidence in its normality
seems to be worth pursuing. It seems to be the natural
progression of projects like the selection found at
cymru.com.

--Michael Dillon