On Thu, 11 Sep 2008 00:28:25 PDT, Jo Rhett said:
I've been in, near, or directly in touch with enough big provider NOCs in the last year on various DoS attach research issues, and nearly nobody... that's right NONE of them were using BCP38 consistently. Name the five biggest providers you can think of. They ain't doing it. Now name the five best transit providers you can think of. They ain't doing it either. (note that all of these claimed to be doing so in that survey, but during attack research they admitted that it was only in small deployments)
Part of the problem is that if you're talking about the 5 biggest providers, and the 5 biggest transit, you're talking about places with routing swamps big enough, and with sufficient dragons in residence, that you really *can't* do BCP38 in any sane manner. AS1312 (us) is able to do very strict BCP38 on a per-port level on every router port, because we *know* what's supposed to be on every subnet. By the time you walk our list of upstreams to any of the '5 biggest anything', you've gotten to places where our multihomed status means you can't filter our source address very easily (or more properly, where you can't filter multihomed sources in general).
If someone told me (truthfully) that there was 10% BCP38 compliance out there, I'd be surprised given what I have observed.
The MIT Spoofer project seems to indicate that closer to 50% *of the edge* is doing sane filtering. And that's where you need to do it - *edge* not *core*.