BCP38 Deployment

Wed Mar 28 20:22:05 UTC 2012

> 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well
> protect its customers by implementing BCP38? I don't think so, because I
> think BCP38 is accurate near the source but inaccurate near the
> destination, i.e. if its customer is the target of spoofing attack, its
> capability to filter is relatively low.

Nobody seems to have corrected this point.

BCP38 is not intended to protect an ISP's customers.  We're used to
thinking in terms of protecting ourselves; you put locks on your
front door or firewalls in front of your server.  That's protecting
yourself.  If an ISP provides firewalling for their customers, then 
they are using it to protect the ISP's customers.  

BCP38 is intended to protect the *rest* of the Internet from *you* -
or, more precisely, a bad guy who has taken over your connection.
If your ISP implements BCP38, they are protecting everyone *else*
from spoofed packets from your connection.  It provides no protection
for you, though.

What provides protection for you is when *other* ISP's implement BCP38.
If every other ISP except yours implemented BCP38, you'd be very well
protected indeed.

The problem here is that BCP38 assumes that service providers will work
in the best interests of the Internet in general, implementing a filter
that provides no measurable RoI for the SP.  It's something that reduces
everyone *else's* problems.  It's good to implement on that basis, but
most networks don't.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.