1. Give BCP38 the only practical anti-spoofing technique, can an ISP well protect its customers by implementing BCP38? I don't think so, because I think BCP38 is accurate near the source but inaccurate near the destination, i.e. if its customer is the target of spoofing attack, its capability to filter is relatively low.
Nobody seems to have corrected this point. BCP38 is not intended to protect an ISP's customers. We're used to thinking in terms of protecting ourselves; you put locks on your front door or firewalls in front of your server. That's protecting yourself. If an ISP provides firewalling for their customers, then they are using it to protect the ISP's customers. BCP38 is intended to protect the *rest* of the Internet from *you* - or, more precisely, a bad guy who has taken over your connection. If your ISP implements BCP38, they are protecting everyone *else* from spoofed packets from your connection. It provides no protection for you, though. What provides protection for you is when *other* ISP's implement BCP38. If every other ISP except yours implemented BCP38, you'd be very well protected indeed. The problem here is that BCP38 assumes that service providers will work in the best interests of the Internet in general, implementing a filter that provides no measurable RoI for the SP. It's something that reduces everyone *else's* problems. It's good to implement on that basis, but most networks don't. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.