Date: Tue, 19 Oct 2004 13:20:08 -0400 From: David G. Andersen <dga@lcs.mit.edu> Subject: Re: BCP38 making it work, solving problems
[ ... ] Unless you're worried about an adversary who taps into your fiber, how is MD5 checksums any better than anti spoofing filters that protect your BGP peering sessions? The only benefit I see is that you can actually verify that your peer is using md5 checksums, instead of having to take them on faith that they won't permit someone to spoof their router's address.
How much control do 'they' have over the ways 'someone' can spoof ? With large providers who don't see any harm in allowing possibly spoofed traffic through, you cannot exclude the possibility that an ISP connected to an IX "leaks" those spoofed packets onto the IX. (or leaks RFC1918 space... I know of a few examples / mails ;D) In the current world - where you cannot exclude either one - you're much better off 'safe' then 'sorry'... Implementing BCP38 (to come back on-topic) is just plain good neighbourhood policy. I don't go building 2.5 meter tall fences around my house because I don't want my neighbour's plants in my garden. No, we come to an understanding that whenever his plants get out of control in my garden I can cut them back, but that he will also trim them more often. In most cases it will go like that, the minority of when it doesn't go like that, you start filtering / whatever, just like we do now. Regards, JP Velders