On (2014-02-04 23:01 -0500), Valdis.Kletnieks@vt.edu wrote:
Regulation and audits works well enough for butchers, resturants etc. Remember once BCP 38 is implemented it is relatively easy to continue. The big step is getting it turned on in the first place which requires having the right equipment.
Now if we could get equipement vendors to stop shipping models without the necessary support it would help but that also may require government intervention.
Time to name-and-shame. It's 2014. Who's still shipping gear that can't manage eyeball-facing BCP38?
If we keep thinking this problem as last-mile port problem, it won't be solved in next 20 years. Because lot of those ports really can't do RPF and even if they can do it, they are on autopilot and next change is market forced fork-lift change. Company may not even employ technical personnel, only buy consulting when making changes. If we focus on transit borders, we can make spoofed DoS completely impractical very rapidly, as spoofing is then restricted inside domain, and if target isn't in same domain, you can't benefit from it. And as attacks are from distributed botnets, you'll simply generate more attack traffic by not spooffing, as you're not restricted inside spooffing domain. However transit border doing ACL is something that seems to very controversial, there is no universal consensus that it even should be done and quite few seem to do it. I feel we need to change this, and make community at large agree it is the BCP and solve the challenges presented. -- ++ytti