----- Original Message -----
From: "Florian Weimer" <fw@deneb.enyo.de>
* Jason Iannone:
Are urpf and bcp38 interchangeable terms in this discussion? It seems impractical and operationally risky to implement two unique ways to dos customers. What are the lessons learned by operators doing static output filters, strict urpf, or loose/feasible urpf?
Historically (in 1998, when RFC 2267 was released), BCP 38 was an egress filter applied at the AS boundary.
You meant ingress, no? The control of the address space allocation resides with the upstream, as must control of the filtering. You *can* do BCP38 egress filtering on your network, but that filter would *be in control of the Bad Guys* whom we're trying to kill off. The filtering needs to be on the other side of the administrative span of control fence. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274