BCP38 Deployment

• Previous message (by thread): RPKI support from router verndors
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is
on "source address validation".

Although BCP38 was proposed more than ten years ago, IP spoofing still
remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report] [Presentation
on NANOG Meeting] [Discussion in NANOG ML].

I did a lot investigation, but still have no idea why so many ISPs haven't
deploy BCP38. I enumerate three reasons I found, and I'd like your comments
very much.

1. Stub ASes: They rely on their providers to filter, so they won't deploy
BCP38 on their own.
2. Low tier transit ASes: They are most likely to deploy BCP38 on the
interfaces towards their customers.
3. Large or tier1 ASes: Their peers and customers are also large. So uRPF
may have false positive and ACLs are too large to manage.

I also asked some ISP guys in IETF today, they all agreed that IP spoofing
is an issue, but they may haven't deployed it. One key issue, I think, is
about incentive. i.e. you can filter, but you'll still receive spoofing
from providers and peers who haven't enforced BCP38.

best
Bingyang

-- 
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby

• Previous message (by thread): RPKI support from router verndors
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]