Saku Ytti saku at
Tue Jan 14 17:05:13 UTC 2014

On (2014-01-14 08:35 -0800), Damian Menscher wrote:

> I see this as a form of BCP38, but imposed on networks by their transit
> providers, rather than done voluntarily.  It would be great if it could
> work, but I have doubts due to asymmetric routing announcements intended
> for traffic shaping.

Yes, I should have specified 'BCP38 in access networks' as being completely
(We do BCP38 on all ports and verify programmatically, but I know it's not at
all practical solution globally for access).

ACL in transit port is completely harmless, no announcements are needed for
traffic to be accepted. There are very modest amount of transit ports globally
and each port will create segmentation to the spoofing domains having
immediate, significant effect on benefits of spoofed attacks.
RPF obviously is non-starter for reasons you stated.

> I'd expect that to take 20 years or more.  Even if new standards are
> defined, the old servers will only be removed when they physically fail.

It would have to be carried over UDP initially and that support probably would
have to live for 20 years. But new-l4-over-udp version could be deployable

I'm very optimistic that if we'd have useful L4 for DNS, significant portion
of relevant DNS servers could be upgraded rapidly to support it. We may be
able to use existing data for this, how many servers went from DNS source port
to random source port to add entropy to reduce poisoning attack chance?

Good portion of end users are running w7, w8, osx  updating itself
automatically, so end-user support could come automatically and not require
action from users. phones, tablets etc have short upgrade cycles anyhow.

Native-udp port could then be policed heavily, making reflected attacks
pay-off poor and motivates rest of the users to take actions needed for new

> My crazy proposal: get international agreement that sending spoofed packets

Agreed, crazy.


More information about the NANOG mailing list