BCP38 Deployment

Leo Bicknell bicknell at ufp.org
Wed Mar 28 15:13:35 UTC 2012 

In a message written on Wed, Mar 28, 2012 at 11:00:39AM -0400, Patrick W. Gilmore wrote:
> #1) Money.
> Whenever someone asks "why...?", the answer is usually "money".  It costs money - CapEx if your equipment doesn't support RPF, and OpEx even if it does.  Plus opportunity cost if your customers don't like it or you screw up, as those customers will find someone who doesn't filter and move.
> 
> #2) Laziness.
> When the question is "why have [you|they] not...?", the second most common answer is laziness.  Some call it "inertia", but reality is people are busy, lazy, etc.

While Patrick is spot on, there is a third issue which is related
to money and laziness, but also has some unique aspects.

BCP38 makes the assumption that the ISP does some "configuration"
to insure only properly sourced packets enter the network.  That
may have been true when BCP38 was written, but no longer accurately
reflects how networks are built and operated.

To get source address validation widely deployed it needs to be
baked into consumer CPE.  The requirement needs to be a "default
on" in the DOCSYS specs, for instance.  Residential gateways need
to come from the factory with unicast RPF turned on.  BCP38 needs
to be applied at the OEM level in equipment maufacturing, not at
the operational level with ISP's.

There are, simply, too many variations in CPE devices to expect
ISP's to _configure_ them.  Even when the configuration is
"standardized" (like DOCSYS) ISP's have to think really hard about
the operational impact of turning on a feature; and one buggy
implementationc can scuttle an idea network wide.

Which really comes back to Patrick's point #2.  If the people who
care about this want to see a positive change they need to stop
badgering ISP's to implement BCP38 and start badgering
Linksys/Netgear/D-Link/Motorola/Apple/Touchstone/SMC/Westtel to
make unicast RPF a default part of their gateway implementation.
More importantly, they need to get them to brand it as a _feature_,
protect your computer from being used by hackers, our router insures
they won't use up all of your data cap!  Then it will be something they
can sell, and thus something they will implement.

As long as folks keep beating on (consumer) ISPs to implement BCP38,
nothing will happen.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120328/06ab4ac9/attachment.sig>

More information about the NANOG mailing list