Also, Don't forget that transit providers currently bill their customers to carry that spoofed/DoS traffic, why would they filter it when it's $$$$ on their balance sheets?
-Drew -----Original Message----- From: Bingyang LIU [mailto:bjorn...@gmail.com] Sent: Wednesday, March 28, 2012 1:15 PM To: Darius Jahandarie Cc: NANOG list Subject: Re: BCP38 Deployment Hi Darius, Yes, I agree that feasible RPF solves the problem in a lot of scenarios. However, in some other cases, the asymmetric routing is caused by static routing, traffic engineering, policy routing, etc., where the lengths of forward path and reverse path may differ, so feasible RPF may also fail (false positive). Bingyang On Wed, Mar 28, 2012 at 7:07 PM, Darius Jahandarie <djahanda...@gmail.com> wrote: > On Wed, Mar 28, 2012 at 12:50, David Conrad <d...@virtualized.org> wrote: >> I would be surprised if this were true. >> >> I'd argue that today, the vast majority of devices on the Internet (and >> certainly the ones that are used in massive D(D)oS attacks) are found >> hanging off singly-homed networks. > > Yes, but RPF can be implemented in places other than the customer > edge. In those places, lack of widespread, easy, and vendor-supported > feasible-path uRPF is what I believe really hurts things. > > Granted, this is along a different line than what the OP was talking > about, but in terms of answering the question of "why don't we see > ingress filtering as much as we should?", I think it's a large factor. > > -- > Darius Jahandarie > -- Bingyang Liu Network Architecture Lab, Network Center,Tsinghua Univ. Beijing, China Home Page: http://netarchlab.tsinghua.edu.cn/~liuby
