Why won't providers source-filter attacks? Simple.

Leo Bicknell bicknell at ufp.org
Thu Feb 6 20:54:25 UTC 2014


On Feb 5, 2014, at 2:46 AM, Saku Ytti <saku at ytti.fi> wrote:

> If we keep thinking this problem as last-mile port problem, it won't be solved
> in next 20 years. Because lot of those ports really can't do RPF and even if
> they can do it, they are on autopilot and next change is market forced
> fork-lift change. Company may not even employ technical personnel, only buy
> consulting when making changes.

It can be solved, but not by NANOG.

Imagine if Cable labs required all DOCSIS compliant cable modems to default
to doing source address verification in the next version of DOCSIS?  It would
(eventually) get rolled out, and it would solve the problem.  Even if it doesn't
default to on, requiring the hardware to be capable would be a nice step.

The consumer last mile is actually simpler in that there are a few organizations
who "control" the standards.  Efforts need to focus on getting the BCP38 stuff
into those standards, ideally as mandatory defaults.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140206/5bcd533f/attachment.bin>


More information about the NANOG mailing list