Leo, On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:
#1) Money. #2) Laziness.
While Patrick is spot on, there is a third issue which is related to money and laziness, but also has some unique aspects.
BCP38 makes the assumption that the ISP does some "configuration" to insure only properly sourced packets enter the network. That may have been true when BCP38 was written, but no longer accurately reflects how networks are built and operated.
An interesting assertion. I haven't looked at how end-user networks are built recently. I had assumed there continue to be customer aggregation points within ISP infrastructure in which BCP38-type filtering could occur. You're saying this is no longer the case? What has replaced it?
BCP38 needs
to be applied at the OEM level in equipment maufacturing, not at the operational level with ISP's.
I don't believe this is either/or. I agree that BCP38 features should be turned on by default in CPE, however I believe it really needs to be enforced at the ISP level.
As long as folks keep beating on (consumer) ISPs to implement BCP38, nothing will happen.
Optimist. Actually, given the uptick in spoofing-based DoS attacks, the ease in which such attacks can be generated, recent high profile targets of said attacks, and the full-on money pumping freakout about anything with "cyber-" tacked on the front, I suspect a likely outcome will be proposals for legislation forcing ISPs to do something like BCP38. Regards, -drc