BCP38 adoption "incentives"?

Mikael Abrahamsson swmike at swm.pp.se
Tue Sep 27 12:46:24 UTC 2016


On Tue, 27 Sep 2016, Stephen Satchell wrote:

> You have to make their ignorance SUBTRACT from the bottom line.

I'd say there is no way to actually achieve this. BCP38 non-compliance 
doesn't hurt the one not in compliance in any significant amount, it hurts 
everybody else.

The only way I can imagine BCP38 ever happening widely is by means of 
legislation, which of course is really hard because Internet spans 
countries/continents.

Doing anti-spoofing should be done at the edge, the further up into the 
core you try to do it, the bigger risk you're breaking lots of users' 
connectivity, causing customer complaints.

In some countries I'm sure BCP38 compliance could be increased by means of 
legislation and fining companies that do not do BCP38 filtering. But 
before we do that, we need to agree that BCP38 compliance is a must. I 
don't think we're there. I have heard people say that if they don't allow 
some of their customers to spoof, they're losing business, because some 
customers have built complete (deployed) solutions that are built on the 
fact that they can spoof packets. These people will have to be convinced 
that they're doing it wrong and re-design their solutions. This is going 
to cost them dearly, so they're going to be upset.

With all the IoT devices out there, do people even need to spoof anymore?

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se



More information about the NANOG mailing list