BCP38 Deployment

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I'm a big fan of RFP, it does require that operators be "good
citizens" for it to be effective. Like most of the Internet, it's
built on a "web" of trust.




On Wed, Mar 28, 2012 at 12:10 PM, Bingyang LIU <bjornliu at gmail.com> wrote:
> Hi David, Leo, Patrick and all,
>
> Considering the reasons you raised, do you think the following two things
> can happen?
>
> 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well
> protect its customers by implementing BCP38? I don't think so, because I
> think BCP38 is accurate near the source but inaccurate near the
> destination, i.e. if its customer is the target of spoofing attack, its
> capability to filter is relatively low.
>
> 2. Even if ineffective near the destination, is an ISP willing to deploy it
> if it becomes easy to adopt and risk-free (no false positive)?
>
> Sorry for my stupid and naive questions.
>
> best
> Bingyang
>
> On Wed, Mar 28, 2012 at 5:45 PM, David Conrad <drc at virtualized.org> wrote:
>
>> Leo,
>>
>> On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:
>> >> #1) Money.
>> >> #2) Laziness.
>>
>> > While Patrick is spot on, there is a third issue which is related
>> > to money and laziness, but also has some unique aspects.
>> >
>> > BCP38 makes the assumption that the ISP does some "configuration"
>> > to insure only properly sourced packets enter the network.  That
>> > may have been true when BCP38 was written, but no longer accurately
>> > reflects how networks are built and operated.
>>
>> An interesting assertion.  I haven't looked at how end-user networks are
>> built recently.  I had assumed there continue to be customer aggregation
>> points within ISP infrastructure in which BCP38-type filtering could occur.
>>  You're saying this is no longer the case?  What has replaced it?
>>
>> > BCP38 needs
>>
>> > to be applied at the OEM level in equipment maufacturing, not at
>> > the operational level with ISP's.
>>
>> I don't believe this is either/or.  I agree that BCP38 features should be
>> turned on by default in CPE, however I believe it really needs to be
>> enforced at the ISP level.
>>
>> > As long as folks keep beating on (consumer) ISPs to implement BCP38,
>> nothing will happen.
>>
>>
>> Optimist.
>>
>> Actually, given the uptick in spoofing-based DoS attacks, the ease in
>> which such attacks can be generated, recent high profile targets of said
>> attacks, and the full-on money pumping freakout about anything with
>> "cyber-" tacked on the front, I suspect a likely outcome will be proposals
>> for legislation forcing ISPs to do something like BCP38.
>>
>> Regards,
>> -drc
>>
>>
>>
>
>
> --
> Bingyang Liu
> Network Architecture Lab, Network Center,Tsinghua Univ.
> Beijing, China
> Home Page: http://netarchlab.tsinghua.edu.cn/~liuby



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]