On Sun, 13 Jul 1997, Jon Lewis wrote:
A certain minimal level of network security should be a part of any responsible network. Perhaps its not practical to run with filters on every router...especially core and big exchange routers. But you can strongly encourage (perhaps require) that all your customers enforce sane filters where applicable. Somewhere in the internet food chain, it is very much practical to install filters, and someone needs to make sure they are in place.
Given that ISP market is differentiated by the lowest common denominator at this point, this is unlikely to happen. Customers and potential customers vote with their money, and so far, it is very unclear whether doing the "right things" in this regard give any network a competitive advantage. In fact, it could be argued that this constitutes a competitive disadvantage since engineering for filtering and other such niceties tend to drive up the cost. I suppose that things would be different if we had an educated consumer base, but that seems unlikely to happen any time soon. Furthermore, for many, their connection model of customers makes it impractical for them to filter. The best we can do is for each individual sites/networks to do what they can. Given the current enviroment, something like universal ingress/egress filter deployment is an impossible task. However, I'm not saying that since things are impossible, don't bother doing anything. For those of us who have the customer connection model to support ingress/egress filtering, this should be done at the edges. Also, once we are able to buy real routers that can perform these tasks as part of their aggregation functionality, I'd argue that ingress/egress filtering _should_ become the norm. (not that I'd bet on that happening) For those who maintain a CPE, it's trivial to integrate ingress/egress filtering to the automated process that's part of installation. This has been done in various different places in the past, the most familiar example to me being CICNet. -dorian