On Tue, 27 Sep 2016, Stephen Satchell wrote:
You have to make their ignorance SUBTRACT from the bottom line.
I'd say there is no way to actually achieve this. BCP38 non-compliance doesn't hurt the one not in compliance in any significant amount, it hurts everybody else. The only way I can imagine BCP38 ever happening widely is by means of legislation, which of course is really hard because Internet spans countries/continents. Doing anti-spoofing should be done at the edge, the further up into the core you try to do it, the bigger risk you're breaking lots of users' connectivity, causing customer complaints. In some countries I'm sure BCP38 compliance could be increased by means of legislation and fining companies that do not do BCP38 filtering. But before we do that, we need to agree that BCP38 compliance is a must. I don't think we're there. I have heard people say that if they don't allow some of their customers to spoof, they're losing business, because some customers have built complete (deployed) solutions that are built on the fact that they can spoof packets. These people will have to be convinced that they're doing it wrong and re-design their solutions. This is going to cost them dearly, so they're going to be upset. With all the IoT devices out there, do people even need to spoof anymore? -- Mikael Abrahamsson email: swmike@swm.pp.se