BCP38 Deployment

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In a message written on Wed, Mar 28, 2012 at 12:44:04PM -0700, Michael Thomas wrote:
> Except for the small problem that getting cheap home router box
> manufacturers to do just about anything is a pushing on string exercise.
> So if I want to a) protect my network and b) be a good netizen, I'm
> still going to want to do BCP 38 regardless of whether others violate
> a, b or both. Right?

BCP38 has nothing to do with a), doing it on your own network doesn't
really protect you from much of anything of note.  It's all about
b), being a good citizen, and having a leg to stand on when you try
to convince others to do the same which will help protect you.

But the home router vendors aren't as hard to make move as you
think.  True, the chance of them moving in response to the fact
that BCP38 exists, or that NANOG wants them to is zero.  Nada,
zilch.  However, there are some powerful companies that buy a lot
of boxes from these vendors.  That free-to-the-subscriber box with
a Comcast, Verizon, Cox, Cable Vision, AT&T, SBC, or other provider
label on it is just a rebranded version of one of these devices.

If the guy buying several million dollars worth of the boxes showed
up and demanded this feature, it would be done.  Once it's done for
them, it's a free "feature" they can market in the boxes at best-buy
to try and recover more of their development costs.

So in that sense we need to pressure the ISP's to implement BCP38!
Maybe I'm back to agreeing with the OP!  However we need to pressure
them not to turn on RPF on their routers (although that's a fine
thing too, defense in depth and all, if they can they should), but
to pressure the vendors they are buying from to do it.  The standards
bodies should also be pressured as well, to get it into the
specifications.

I think some engineers need to ask some interesting questions, like
how, in a box doing NAT to an outside IP, does it ever emit a packet
not from that outside IP?  The fact that you can spoof packets
through some of the NAT implementations out there is mind-blowing
to me.

I'm telling you, if the big 10 ISP's would just add one bullet point
to their RFP's for equipment:

 * Any device performing an IP routing function must default to strict
   mode unicast RPF for all connected networks as specified in RFC 3704 
   Section 2.2 as a method of implementing BCP38.

We'd be done with this issue and move on to other things.  Sure, there
would still be spoofed packets, and yes, other types of operators (like
free public wifi and such) still need to do the right BCP38 filtering
when configuring their systems...but just having this on all residential
gear gets rid of well over 90% of the crud we're all trying to stop.


-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120328/de000efa/attachment.sig>

• Previous message (by thread): BCP38 Deployment
• Next message (by thread): BCP38 Deployment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]