On Wed, Jul 2, 2014 at 2:00 PM, Jared Mauch <jared@puck.nether.net> wrote:
No, but how else do you suggest we work to address these problems? While a naked run isn't my first choice, I am interested in practical solutions and responses. I've privately and publicly documented some of my challenges securing my networks with BCP-38. While perhaps not obviously related there is also the issue of BGP filtering and other things that create a nexus of interrelated items.
Hi Jared, Have you ever known any problem to be solved with stronger awareness of the rules of whack-a-mole? The first level of the problem is technical: there's no efficient protocol for propagating knowledge about acceptable sources from each link from router to router and not nearly enough TCAM in shipping models to implement such a protocol if it existed. Every current anti-spoofing approach either involves slow and mistake-prone manual effort or is tied to trivial single-homed routing cases so often implemented by inept junior staff at third-tier networks. The second level of the problem is financial -- some customers will pay you to avoid being victims of the problem but none will pay you to avoid being facilitators. Protocols, software and TCAMs are expensive. Far more expensive than the abject lack of penalties, lawsuits, shutdowns and public shaming which result from the discovery of leaky origins. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004