This is why policy, as painful as it is to produce, is useful. There isn't even general agreement on whether (or what!) Cloudfare is doing is a problem. Which is why interested parties need to get together and agree on some sort of policy regarding this and similar things. Or not and just let it go. That policy could, at least in theory, be attached to peering agreements, BGP agreements, address allocations, etc as contracts as a means of enforcement. And if necessary presented to law enforcement or courts as clearly defined violations of GAAP. It may not be a law per se but it's the sort of thing a court case might use, say in a civil damages suit or even law enforcement action, to establish that defendant's behavior exhibited reckless disregard and so on. As an analogy you can't accuse someone of mayhem if no one can be bothered to write down what mayhem might be and why the defendant should have known their actions were mayhemic. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*