saku at ytti.fi
Tue Jan 14 07:18:30 UTC 2014
On (2014-01-13 21:33 +0000), Bjoern A. Zeeb wrote:
> BCP38! I am always surprised when people need crypto if they fail the simple things.
Saying that BCP38 is solution to the reflection attacks is not unlike 5 year
old wishing nothing but world peace for christmas, endearing, but it's not
going to change anything.
BCP38 is completely unrealistic, many access networks are on autopilot, many
don't have HW support for BCP38, one port configured has low-benefit, only
that machine can stop attacking (but whole world).
near term, reducing attack surface is practical to reduce impact (not a
solution, just damage control)
near term, transit providers who do BGP prefix-list, could use same
prefix-list for ACL, segmenting spoofing domains. It's very high pay-off,
couple ports configured, whole downstream branch isolated into its own
spoofing domain, able to just attack targets inside same domain.
mid term, transport area in IETF. DNS, NTP, SNMP, chargen et.al. could
trivially change to QUIC/MinimaLT or compared, getting same 0 RTT penalty as
UDP without reflection potential.
More information about the NANOG