On Wed, Mar 27, 2013 at 4:19 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Some people are going to have to step and add a few thousand more frequent flier miles and get out to various geographic constituencies, at various events, and start talking about this. And we need a lot more people on board. Nation & international campaigns, etc.
Agree 100%. One thing that I will mention is a subtle issue that needs more thought. I think one of the challenges for this is answering the question of 'How does this make it better for my network on day one?' . Well , it doesn't for the majority of impact that people may be seeing. For example - Let us say someone is not currently running a fully BCP38-compliant network (shame on them, blah blah). They can do the remaining work to fix this in XXX hours at YYY cost. The issue for them may be that they are the *destination* of the attacks that leverage non-BCP38 compliant networks. So even after investing XXX hours and YYY dollars it doesn't 'cure' the majority of the problems for them related to spoofing. So any spend on this is not a 'fix' as much as it is a 'fix for others'. (which certainly still needs to be done , don't get me wrong!) Spoofing remains a problem until *everyone* gets it done or there is enough motivation to get it done without benefit to your own network. If Network_Zed is the last to go BCP38-complaint in 2023 , then the rest of the internet is still vulnerable to the nasty items that can take place from the Network_Zed network until that time. Accepting that I think we need to find ways to make it where it stays on the radar - as has been suggested via walls of shame, RIR pressure, etc. Perhaps 'spoofing fees' etc ? I hate to have an approach of 'fix this or I will hit you with this stick!' - but this has got to stop.. OK, back to my hole watching all the presumably spoofed incoming traffic that happens to be on udp/53 and looking for ANY? isc.org :-) -- jason