BCP here and there
hobbit at avian.org
Thu Sep 4 18:08:21 CDT 2008
In my mind, a suite of practices to keep one's garbage contained and
not all over the neighbor's lawn is a good thing and covers many
bases. RPF/BCP38 seems to be the IP level equivalent of blocking
ingress SMTP and forcing delivery through outbound-only servers that
check the claimed envelope and/or header senders for sanity relative
to the authorized sending networks. If so many people are agreeing
on BCP38, what's with the resistance about email, clearly an
equally polluted swamp? Why would one not want to view the two
issues as much the same problem, at different layers?
And yes, I was assuming split-brained mail infrastructure to make
port-25 filtering much simpler. To counter someone's counterargument,
it could boil down to two ACL lines in *many* places, but clearly
not all. Said two lines can come right before the one that says
"permit ip my-source-only any", couldn't they??
Not in a blanket sense, of course -- these things done *where
appropriate* and tuned to known requirements could vastly improve
matters, but it seems that even after all these years so many of
the appropriate places haven't even been touched let alone fixed.
More information about the NANOG