BCP38 - Internet Death Penalty

Wed Mar 27 22:10:10 UTC 2013

On Wed, Mar 27, 2013 at 4:19 PM, Paul Ferguson <fergdawgster at gmail.com>wrote:

> Some people are going to have to step and add a few thousand more
> frequent flier miles and get out to various geographic constituencies,
> at various events, and start talking about this. And we need a lot
> more people on board. Nation & international campaigns, etc.
>
>
Agree 100%.

One thing that I will mention is a subtle issue that needs more thought.  I
think one of the challenges for this is answering the question of 'How does
this make it better for my network on day one?'   . Well , it doesn't for
the majority of impact that people may be seeing.

For example - Let us say someone is not currently running a fully
BCP38-compliant network (shame on them, blah blah). They can do the
remaining work to fix this in XXX hours at YYY cost.

The issue for them may be that they are the *destination* of the attacks
that leverage non-BCP38 compliant networks. So even after investing XXX
hours and YYY dollars it doesn't 'cure' the majority of the problems for
them related to spoofing. So any spend on this is not a 'fix' as much as it
is a 'fix for others'. (which certainly still needs to be done , don't get
me wrong!)

Spoofing remains a problem until *everyone*  gets it done or there is
enough motivation to get it done without benefit to your own network.

If Network_Zed is the last to go BCP38-complaint in 2023 , then the rest of
the internet is still vulnerable to the nasty items that can take place
from the Network_Zed network until that time.

Accepting that I think we need to find ways to make it where it stays on
the radar - as has been suggested via walls of shame, RIR pressure, etc.
Perhaps 'spoofing fees' etc ?

I hate to have an approach of 'fix this or I will hit you with this stick!'
- but this has got to stop..

OK, back to my hole watching all the presumably spoofed incoming traffic
that happens to be on udp/53 and looking for ANY? isc.org :-)

--
jason