Greetings, When I was teaching CIS classes at a local Community College, when we would cover Firewalls I always taught them to NOT be the reason someone else is suffering Distributed Denial Of Service (DDOS) attacks. And the way to do this was to follow the "Best Common Practibe 38" (BCP-38) found in the RFC's, to NEVER send out any packets that don't have a SOURCE ADRRESS that is one within your own network. NEVER spoof a source address that is not your own. http://www.bcp38.info/index.php/Main_Page --- Jay Nugent WB8TKL o Retired o Had a nice career at Washtenaw Community College, Nugent Telecommunications, ANS/NSFnet, AOL, GTE Telenet, Bell Northern Research, Northern Telecom, and others... On Sat, 5 Apr 2025, Barry Greene via NANOG wrote:
"What is the exact optimum solution?”
You build SAV into your architect. It is that simple. Start with the end in mind - ensure no packet leaves your part of the network if the IP source does NOT equal the IPs allocated to that network.
It it does, you have FAILED as a network architect.
People get caught up with the widgets you might use to achieve your archectural goals. How you do SAV depends on what you are building. What I would do on a 4G/5G architecture is different from an edge rack on a cloud/edge network which is then different from an office enterprise, which is different from a broadband provider which is different from my home network which is different from ……
Taygun, people get all tided in knots debating on which is best - the nail, the wood screw, the bolt, the clamp, wood glue, duct tape …. All to connect to piece of wood together. Do not get lost in ’SAV widget debate.’
Focus on the regulatory requirement for networks to have SAV be integral to the network architecture. Yes, “regulator requirement” .. just like civil engineering architecture requirement to ensure a building is safe. It is the only way you are going to break the 80/20 problem. We reached 80% SAV deployment back in 2012 (see https://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/). People didn’t like my post, but it was reality. CAIDA got some funding to move the Spoofer project and do another year, but then that money disappeared.
If you want Türkiye to deploy SAV effectively, then you go to the Telecom Regulator and ask for them to make it a licensed requirement. They do not need the knowledge of the “technical SAV widgets,” they just say - no spoofed packets.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/AOI6DXPG...