On Feb 23, 2014, at 9:50 AM, Lukasz Bromirski <luk...@bromirski.net> wrote:
> To do some additional checks would require extensive testing, platforms
> capable of doing this in predictable manner (stability, performance)
> and obviously - a lot more work than it costs today.
What are the costs and stability impacts of the DDOS that are running now?
Everyone is asserting it's someone else's problem. Which in a sense it is.
But what goes around will come around.
If you are not BCP 38 you are sourcing problems.
If you are transiting or IXPing someone who isn't BCP 38 you are enabling
problems.
Is what we are doing now good enough? Probably not.
It would take fewer IXP and transit providers adding analysis capability to
backtrack than endpoints. So the enablers are more capable of effecting
change. They are less to blame in the first place, but not blameless.
To assert blamelessness is a form of Tragedy of the Commons. If it's crossing
your link or switch, you ARE in the responsibility chain.
The last thing I would like to see is large orgs starting to retreat away from
open interconnect because of DDOS coming in from less well managed parts of the
net.
Perhaps BCP 38 implementation will rise fast enough that these things will not
become real, but we have been hearing that for 15 plus years now...
At some point, the "38 will work by itself!" line approaches "Look at the
Emperors' fine new clothes!".
-george william herbert
george.herb...@gmail.com
Sent from Kangphone
