On (2014-01-14 08:35 -0800), Damian Menscher wrote:
I see this as a form of BCP38, but imposed on networks by their transit providers, rather than done voluntarily. It would be great if it could work, but I have doubts due to asymmetric routing announcements intended for traffic shaping.
Yes, I should have specified 'BCP38 in access networks' as being completely unrealistic. (We do BCP38 on all ports and verify programmatically, but I know it's not at all practical solution globally for access). ACL in transit port is completely harmless, no announcements are needed for traffic to be accepted. There are very modest amount of transit ports globally and each port will create segmentation to the spoofing domains having immediate, significant effect on benefits of spoofed attacks. RPF obviously is non-starter for reasons you stated.
I'd expect that to take 20 years or more. Even if new standards are defined, the old servers will only be removed when they physically fail.
It would have to be carried over UDP initially and that support probably would have to live for 20 years. But new-l4-over-udp version could be deployable rapidly. I'm very optimistic that if we'd have useful L4 for DNS, significant portion of relevant DNS servers could be upgraded rapidly to support it. We may be able to use existing data for this, how many servers went from DNS source port to random source port to add entropy to reduce poisoning attack chance? Good portion of end users are running w7, w8, osx updating itself automatically, so end-user support could come automatically and not require action from users. phones, tablets etc have short upgrade cycles anyhow. Native-udp port could then be policed heavily, making reflected attacks pay-off poor and motivates rest of the users to take actions needed for new l4.
My crazy proposal: get international agreement that sending spoofed packets
Agreed, crazy. -- ++ytti