On 2/5/14, 7:11 PM, "Mark Andrews" <marka@isc.org> wrote:
Well when industries don't self regulate governments step in. This industry is demonstratably incapble of regulating itself in this area despite lots of evidence of the problems being caused for lots of years.
Which industry is that? App providers that have not implemented? Hosting providers that have not? Transit providers that have not? Access network ISPs that have not? Large enterprises and education networks that have not? ;-) I still prefer a list of specific networks that need to pay attention to improving anti-spoofing since otherwise I think most of us are in violent agreement on the need.
This has been DOCUMENTED BEST CURRENT PRACTICE for 13.5 years. Everybody else is having to deal the problems caused by these bad actors.
Hell, I suspect you could send the directors to gaol or make them pay a heavy fine today by properly examining the existing laws. A new law would just make the problem more explicit.
In the U.S. one of the FCC Communications Security, Reliability, and Interoperability Council (CSRIC) working groups is focused on this issue. I do not know what is happening in other jurisdictions. Jason