On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* Mel Beckman:
If we can't police ourselves, someone we don't like will do it for us.
That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue of BGP filtering. BGP filtering is feasible in hardware and software today. You can put a 600k line config on most devices without issues, and automate policy generation with a tool like bgpq3 or similar. Most hardware requires a recirculation of the packet to do a lookup on the source IP address. This means halving your NPU performance of something that hasn’t been in the 40 bytes per packet range for quite some time. - Jared