Are we really this helpless? (Re: isprime DOS in progress)

Paul Ferguson fergdawgster at
Sun Jan 25 02:13:14 UTC 2009

Hash: SHA1

On Sat, Jan 24, 2009 at 6:05 PM, Mark Andrews <Mark_Andrews at> wrote:

>> BCP 38 isn't a license, it's a technique.
>        There are plenty of cases in common law where as a owner
>        of something and you havn't taken reasonable steps to protect
>        or prevent injury that, were well known, you will be proved
>        to be negligent.
>        BCP 38 is falling into that sort of category.
>        Every operator here should be worried about what will happen
>        when someone decides to sue them to recover damaged caused
>        by spoofed traffic.  It's just a matter of time before this
>        happens.  Remember every router inspects packets to the
>        level required to implement BCP 38.  This is not deep packet
>        inspection.  This is address inspection which every router
>        performs.
>                Did you know about "BCP 38"?
>                What steps did you take to implement "BCP 38"?
>        I suspect that a lawyer will be able to demonstrate to a
>        judge that even as a common carrier that a operator should
>        have been deploying BCP 38.

I think each point above is true -- BCP38 is indeed a technique, but
failure to universally implement it defaults to (almost) a tragedy of the

After ~10 years, it is surreal to me that we, as a community, are still
grappling with issues where it could be beneficial for the Internet
community at-large. I mean, it _is_ a BCP.

- - ferg

p.s. Even when Dan Senie and I drafted RFC2827/BCP38, we were doing nothing
more than documenting what everyone (well, maybe not everyone) already knew
anyway -- that we all need to bite the bullet and just do it.

Version: PGP Desktop 9.6.3 (Build 3017)


"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog:

More information about the NANOG mailing list