On Tue, Mar 26, 2013 at 10:51 AM, Jay Ashworth <jra@baylink.com> wrote:
But have we reached the point where it's time to start trying?
Yes.
Do we need to define a flag day, say one year hence, and start making the sales pitch to our Corporate Overlords that we need to apply the IDP to edge connections which cannot prove they've implemented BCP38 (or at very least, the source address spoofing provisions thereof)? Put this in contracts and renewals, with the same penalty?
Yes, but scope the problem a little differently. 1. The general IDP does not apply to stub networks which do not speak BGP. It is for those stubs' ISPs to determine how they'll handle mis-sourced traffic they receive from those networks. 2. A BGP origin-only network is required to secure its BGP-speaking borders against source address spoofing. It may also secure spoofing from downstream networks (and in fact it SHOULD do so) but it avoids the IDP so long as its BGP-speaking borders are secured. 3. A BGP transit network is required to secure all components of its network against source address spoofing, including all non-BGP stub customers and all origin-only BGP customers. It is not expected to prevent spoofed packets from arriving from neighboring transit BGP networks. It is also expected to promptly assist (24/7/365) with trace requests from any individual presenting legitimate credentials as the assignee of a particular source address and presenting with reasonable evidence that packets with a spoofed address cross a specifically identified system owned by the transit network. Where the packet stream continues, these trace requests must promptly result in identification of the actual source of the packet (if within the transit network's system) or the identification of the neighboring system, the specific entry point and high-level contacts within the neighbor system capable of continuing the trace. Some number of misconfigurations which permit spoofed packets from components of the transit network's components are to be expected and promptly corrected. 4. Applying the IDP _does not_ mean you cut off the network. That'll piss of your customers as much or more than it pisses off theirs. The position is untenable. Instead, the IDP consists of redirecting the offender's public presence web sites to a web site which proclaims the IDP, lists the causes of the IDP and lists the actions required to lift the IDP. 5. IDP can't be a local decision. We should elect or empanel or otherwise select a group of individuals who decide both when a network gets the IDP and when the IDP is lifted. Compliance with the group's decision to impose an IDP can be optional but a riot of RBLs like have developed in the anti-spam community would cause at least as much trouble as it fixes.
Do the engineering heads at the top 10 tier-1/2 carriers carry enough water to make that sale to the CEOs?
To ask the CEOs to authorize cutting off access to a competitor's web site with the full support and approval of a group of recognized Internet luminaries? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004