BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)

Fri Feb 7 20:37:49 UTC 2014

On Feb 5, 2014, at 2:12 AM, Jimmy Hess <mysidia at gmail.com> wrote:
>> On Wed, 05 Feb 2014 12:18:54 +1100, Mark Andrews said:
>>> Now if we could get equipement vendors to stop shipping models
>>> without the necessary support it would help but that also may require
>>> government intervention.
>>> ...
> 
> A good start would be to get  BCP38  revised to  router  the Host
> requirements RFCs,  to indicate  that  ingress filtering should be
> considered mandatory  on  site-facing interfaces.
> ...

It's also true that if a sizable group of network operators were to actually 
deploy source address validation (thus proving that it really is a reasonable 
approach and doesn't carry too much operational or vendor implications), 
then it would be quite reasonable for those operators to bring the results 
to NANOG and get it recognized as a best current operating practice for 
networks of similar design/purpose.

> If the standards documents still just call it a best practice....  what
> hope is there of  having governments  require it of the service providers
> that their networks are connected to, anyways?

There is a significant difference between a "best current practice" (BCP)
document from the IETF (a technical standards body) versus one which actually
reflects the well-considered best practices of a large network operator forum.  
The latter would be of some interest to governments (and groups of governments)
when they ask for any options that might help with their growing spam and DDoS 
concerns...

FYI,
/John