Hi David, Leo, Patrick and all, Considering the reasons you raised, do you think the following two things can happen? 1. Give BCP38 the only practical anti-spoofing technique, can an ISP well protect its customers by implementing BCP38? I don't think so, because I think BCP38 is accurate near the source but inaccurate near the destination, i.e. if its customer is the target of spoofing attack, its capability to filter is relatively low. 2. Even if ineffective near the destination, is an ISP willing to deploy it if it becomes easy to adopt and risk-free (no false positive)? Sorry for my stupid and naive questions. best Bingyang On Wed, Mar 28, 2012 at 5:45 PM, David Conrad <drc@virtualized.org> wrote:
Leo,
On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:
#1) Money. #2) Laziness.
While Patrick is spot on, there is a third issue which is related to money and laziness, but also has some unique aspects.
BCP38 makes the assumption that the ISP does some "configuration" to insure only properly sourced packets enter the network. That may have been true when BCP38 was written, but no longer accurately reflects how networks are built and operated.
An interesting assertion. I haven't looked at how end-user networks are built recently. I had assumed there continue to be customer aggregation points within ISP infrastructure in which BCP38-type filtering could occur. You're saying this is no longer the case? What has replaced it?
BCP38 needs
to be applied at the OEM level in equipment maufacturing, not at the operational level with ISP's.
I don't believe this is either/or. I agree that BCP38 features should be turned on by default in CPE, however I believe it really needs to be enforced at the ISP level.
As long as folks keep beating on (consumer) ISPs to implement BCP38, nothing will happen.
Optimist.
Actually, given the uptick in spoofing-based DoS attacks, the ease in which such attacks can be generated, recent high profile targets of said attacks, and the full-on money pumping freakout about anything with "cyber-" tacked on the front, I suspect a likely outcome will be proposals for legislation forcing ISPs to do something like BCP38.
Regards, -drc
-- Bingyang Liu Network Architecture Lab, Network Center,Tsinghua Univ. Beijing, China Home Page: http://netarchlab.tsinghua.edu.cn/~liuby