BCP38 tester?

Alain Hebert ahebert at pubnix.net
Mon Apr 1 02:03:43 UTC 2013


  On 03/31/13 21:50, Jason Lixfeld wrote:
> On 2013-03-31, at 9:43 PM, Peter Baldridge <petebaldridge at gmail.com> wrote:
>
>> I can assume that If you are spoofing packets, resetting passwords on cpe and replacing the box would be trivial.  So it's questionable how useful this is.  It seems like it just adds cost to for customers that can't spoof a packet to save their lives.
> Maybe it's useful for the people who have no idea that their computers are infected by bots that spoof packets.
>
>> On Mar 31, 2013 6:37 PM, "Jason Lixfeld" <jason at lixfeld.ca> wrote:
>>
>> On 2013-03-31, at 10:48 AM, Jay Ashworth <jra at baylink.com> wrote:
>>
>>> Is there a program which users can run on an end-site workstation which
>>> would test whether they are being some link which is doing BCP38, or some
>>> related type of source-address ingress filtering?
>>>
>>> I'm hoping for something that could be downloaded by users and run, and
>>> try to forge a few packets to somewhere useful, which could be logged
>>> somehow in conjunction with some unforged packets containing a traceroute,
>>> so we could build up a database of leaky networks.
>>>
>>> On a related topic, while I know GRC Research's Steve Gibson is a bit of
>>> a polarizing personality, he does have a fairly sizable consumer audience,
>>> and might be a great distribution venue for such a thing.
>>>
>>> Or, perhaps, is there someone on here from Ookla?
>>>
>>> Patrick?  Could Akamai be persuaded to take an interest in this as a
>>> research project?
>>
>> From my perspective, 99% of end-users probably don't understand (or care) that their provider might be responsible for initiating or precipitating a DDoS attacks, period.  Most network operators are probably either too inexperienced to understand or too lazy to care.
>>
>> I believe that most everyone has a CPE of some sort, whether their service is resi or commercial.  So, what about shifting the focus to the CPE manufacturers?  They bend to technology and/or market pressures by bringing things like NAT, Firewalls, DLNA, UPnP, IPv6 (heh), PPPoE, RFC1483, etc. to their respective products in to satisfy technology limitations or security concerns or whatever.  Why can't they help the cause by implementing some sort of RFC'ified BCP38 thing?
>>

    An easy target would be anti-virus/trojan/security software
providers that could add a BCP38 check to their software =D

-----
Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443





More information about the NANOG mailing list