BCP38 Deployment
David Conrad
drc at virtualized.org
Wed Mar 28 15:45:12 UTC 2012
Leo,
On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:
>> #1) Money.
>> #2) Laziness.
> While Patrick is spot on, there is a third issue which is related
> to money and laziness, but also has some unique aspects.
>
> BCP38 makes the assumption that the ISP does some "configuration"
> to insure only properly sourced packets enter the network. That
> may have been true when BCP38 was written, but no longer accurately
> reflects how networks are built and operated.
An interesting assertion. I haven't looked at how end-user networks are built recently. I had assumed there continue to be customer aggregation points within ISP infrastructure in which BCP38-type filtering could occur. You're saying this is no longer the case? What has replaced it?
> BCP38 needs
> to be applied at the OEM level in equipment maufacturing, not at
> the operational level with ISP's.
I don't believe this is either/or. I agree that BCP38 features should be turned on by default in CPE, however I believe it really needs to be enforced at the ISP level.
> As long as folks keep beating on (consumer) ISPs to implement BCP38, nothing will happen.
Optimist.
Actually, given the uptick in spoofing-based DoS attacks, the ease in which such attacks can be generated, recent high profile targets of said attacks, and the full-on money pumping freakout about anything with "cyber-" tacked on the front, I suspect a likely outcome will be proposals for legislation forcing ISPs to do something like BCP38.
Regards,
-drc
More information about the NANOG
mailing list