I'm sure this must have been discussed at some point, somewhere. The premise with regard to BCP38 + open resolvers is that the spoofed packets reside on different networks than the resolvers. If these resolvers are primarily CPE and other unmaintained equipment, then it stands to reason that they reside inside networks containing other equipment; and this equipment could be the source of the source-spoofed (DNS) packets.
Reflecting traffic off of an open resolver on one's own network would serve to cloak the true identity of the originator. BCP38 filtering on egress from the network is ineffective in such scenarios because it is based on the assumption that the spoofed packets are coming in from outside the network (and hence originated as egress from someone else's network). If the good guys can map open resolvers, so can the bad guys. (There are no "black hat" data scientists?) If we know that spoofed port queries are traversing peering points, then we know the networks they're coming from. If we don't know that, then see above; if we can't shame them, see "Maginot Line". -- Fred Morris _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
