BCP38 - Internet Death Penalty

• Previous message (by thread): BCP38 - Internet Death Penalty
• Next message (by thread): BCP38 - Internet Death Penalty
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
> From: "William Herrin" <bill at herrin.us>

> Yes, but scope the problem a little differently.
> 
> 1. The general IDP does not apply to stub networks which do not speak
> BGP. It is for those stubs' ISPs to determine how they'll handle
> mis-sourced traffic they receive from those networks.

So, here, you mean customers of such as "Road Runner Business", who
have an office full of workstations and maybe some servers.

The goal, unless I badly misunderstood it, was to *drop forged traffic 
coming from this sort of source (assuming you generalize "my PC at
home on a cablemodem" as the limiting example of this class, which I
do).

> 2. A BGP origin-only network is required to secure its BGP-speaking
> borders against source address spoofing. It may also secure spoofing
> from downstream networks (and in fact it SHOULD do so) but it avoids
> the IDP so long as its BGP-speaking borders are secured.

This is the next size up of edge network; a buyer of transit.

This item does no good; you're expecting *the potential bad actor*
*not to act badly*.

> 3. A BGP transit network is required to secure all components of its
> network against source address spoofing, including all non-BGP stub
> customers and all origin-only BGP customers. It is not expected to
> prevent spoofed packets from arriving from neighboring transit BGP
> networks.

*This* is Road Runner.  Also Comcast, Mindspring, and the other Top 40
eyeball networks.  It is also, of course, larger carriers who sell access
in addition to more traditional transit and possibly peering.

AFAICT, this is the spot where source-address-spoofing needs to be 
*enforced*; the people selling connections and transit here *know* what
addresses should be coming in those pipes, and can therefore -- if their
gear permits, and it damned well should by now -- force the dropping of
all packets coming in with bogus source addresses.

> It is also expected to promptly assist (24/7/365) with trace requests
> from any individual presenting legitimate credentials as the assignee
> of a particular source address and presenting with reasonable evidence
> that packets with a spoofed address cross a specifically identified
> system owned by the transit network. Where the packet stream
> continues, these trace requests must promptly result in identification
> of the actual source of the packet (if within the transit network's
> system) or the identification of the neighboring system, the specific
> entry point and high-level contacts within the neighbor system capable
> of continuing the trace.

Assuming they pass the packets at all, which is what I'm trying to prevent,
myself.  Surely, special case handling will need to be done for customers
who are multihomed, and may originate packets from connection A out
connection B, but *this is the layer* where that must be done; you can't
do it any closer to the backbone, since the necessary administrative 
knowledge isn't available there.
 
> 4. Applying the IDP _does not_ mean you cut off the network. That'll
> piss of your customers as much or more than it pisses off theirs. The
> position is untenable. Instead, the IDP consists of redirecting the
> offender's public presence web sites to a web site which proclaims the
> IDP, lists the causes of the IDP and lists the actions required to
> lift the IDP.

Unless I misunderstand you there, you're suggesting that inbound HTTP to
public websites *operated by the spoofing entity* should be redirected
to a site that shames them?  Yeah, that will piss them off less... :-)

> 5. IDP can't be a local decision. We should elect or empanel or
> otherwise select a group of individuals who decide both when a network
> gets the IDP and when the IDP is lifted. Compliance with the group's
> decision to impose an IDP can be optional but a riot of RBLs like have
> developed in the anti-spam community would cause at least as much
> trouble as it fixes.

> > Do the engineering heads at the top 10 tier-1/2 carriers carry
> > enough water
> > to make that sale to the CEOs?
> 
> To ask the CEOs to authorize cutting off access to a competitor's web
> site with the full support and approval of a group of recognized
> Internet luminaries?

The problem with that sub-approach is that luminaries (of the scale that
everyone will automatically listen to them), as Jon Postel has said, do
not scale.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

• Previous message (by thread): BCP38 - Internet Death Penalty
• Next message (by thread): BCP38 - Internet Death Penalty
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]