While I'm a big fan of RFP, it does require that operators be "good citizens" for it to be effective. Like most of the Internet, it's built on a "web" of trust.
On Wed, Mar 28, 2012 at 12:10 PM, Bingyang LIU <bjorn...@gmail.com> wrote: > Hi David, Leo, Patrick and all, > > Considering the reasons you raised, do you think the following two things > can happen? > > 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well > protect its customers by implementing BCP38? I don't think so, because I > think BCP38 is accurate near the source but inaccurate near the > destination, i.e. if its customer is the target of spoofing attack, its > capability to filter is relatively low. > > 2. Even if ineffective near the destination, is an ISP willing to deploy it > if it becomes easy to adopt and risk-free (no false positive)? > > Sorry for my stupid and naive questions. > > best > Bingyang > > On Wed, Mar 28, 2012 at 5:45 PM, David Conrad <d...@virtualized.org> wrote: > >> Leo, >> >> On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote: >> >> #1) Money. >> >> #2) Laziness. >> >> > While Patrick is spot on, there is a third issue which is related >> > to money and laziness, but also has some unique aspects. >> > >> > BCP38 makes the assumption that the ISP does some "configuration" >> > to insure only properly sourced packets enter the network. That >> > may have been true when BCP38 was written, but no longer accurately >> > reflects how networks are built and operated. >> >> An interesting assertion. I haven't looked at how end-user networks are >> built recently. I had assumed there continue to be customer aggregation >> points within ISP infrastructure in which BCP38-type filtering could occur. >> You're saying this is no longer the case? What has replaced it? >> >> > BCP38 needs >> >> > to be applied at the OEM level in equipment maufacturing, not at >> > the operational level with ISP's. >> >> I don't believe this is either/or. I agree that BCP38 features should be >> turned on by default in CPE, however I believe it really needs to be >> enforced at the ISP level. >> >> > As long as folks keep beating on (consumer) ISPs to implement BCP38, >> nothing will happen. >> >> >> Optimist. >> >> Actually, given the uptick in spoofing-based DoS attacks, the ease in >> which such attacks can be generated, recent high profile targets of said >> attacks, and the full-on money pumping freakout about anything with >> "cyber-" tacked on the front, I suspect a likely outcome will be proposals >> for legislation forcing ISPs to do something like BCP38. >> >> Regards, >> -drc >> >> >> > > > -- > Bingyang Liu > Network Architecture Lab, Network Center,Tsinghua Univ. > Beijing, China > Home Page: http://netarchlab.tsinghua.edu.cn/~liuby -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/