Hi all, I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is on "source address validation".
Although BCP38 was proposed more than ten years ago, IP spoofing still remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report] [Presentation on NANOG Meeting] [Discussion in NANOG ML]. I did a lot investigation, but still have no idea why so many ISPs haven't deploy BCP38. I enumerate three reasons I found, and I'd like your comments very much. 1. Stub ASes: They rely on their providers to filter, so they won't deploy BCP38 on their own. 2. Low tier transit ASes: They are most likely to deploy BCP38 on the interfaces towards their customers. 3. Large or tier1 ASes: Their peers and customers are also large. So uRPF may have false positive and ACLs are too large to manage. I also asked some ISP guys in IETF today, they all agreed that IP spoofing is an issue, but they may haven't deployed it. One key issue, I think, is about incentive. i.e. you can filter, but you'll still receive spoofing from providers and peers who haven't enforced BCP38. best Bingyang -- Bingyang Liu Network Architecture Lab, Network Center,Tsinghua Univ. Beijing, China Home Page: http://netarchlab.tsinghua.edu.cn/~liuby