On (2013-03-27 11:05 -0500), Jack Bates wrote:
I'm not arguing that the process can't be done. The problem is, there are a number of networks that don't know it needs to be done and why, or they don't know how to do it. There are a number of networks that have no concept of scripting changes into their routers.
Exactly. If we target BCP38 at last-mile we have 0 hope to achieve sufficient coverage to make spoofing attacks less practical than HTTP GET from unspoofed address. I think we should educate tier2 operators who offer transit to tier3. It's most practical place for BCP38. tier1<->tier2 can't do it, strict IRR prefix-filtering is not practical. tier2<->tier3 can do it, it's practical to do strict BGP prefix-filter. If you are doing strict BGP prefix-filter, it's either very easy to generate ACL while at it or 0 work in say JunOS, as you can just use same prefix-list for firewall filter. Open recursors may have been discussion point pre-DNSSEC world, post DNSSEC world it's easy enough to find large RRs from arbitrary authorative server, that is, even if you'd close all open recursors problem would not go away. -- ++ytti