Jon Lewis <jlewis@inorganic5.fdt.net> writes:
A certain minimal level of network security should be a part of any responsible network.
Out of curiosity, do you yourselves do source-based IP filtering at all your edges? (Dialups, dedicated customers, gateways to your own PeeCee/Workstation gear, and so on and so forth) I don't disagree with you: everyone *ought* to filter out bogus source addresses, and this *ought* to happen as close to the edge as possible, so that a reasonable "tree of trust" would assist in tracking down where any given source-spoofing attack could *not* be coming from. Without this "tree of trust", the farther away you get from the valid origin of any given prefix, the less reliable your decision to filter or not filter a packet that claims to be originated there will be. This gets awkward for large providers, since they probably don't want to cause outages to customers or customers' customers, or customers' customers' customers... On the other hand, in a purely PA-addressed Internet, this is very simple, so much so that filtering could even be done on very large amounts of traffic, even without routers which are specifically designed with source-based filtering in mind. However, once again the addressing shortcomings of IPv4 (and these are duplicated in IPv6) get in the way of building a scalable, reliable, secure Internet without involving NAT devices.
Somewhere in the internet food chain, it is very much practical to install filters, and someone needs to make sure they are in place.
Yes: if from your perspective you are certain that a particular interface should only generate source addresses within a certain prefix, or conversely you can guarantee that the only valid source for packets originated with that prefix is across a particular interface or small set of interfaces, then building safety-providing filters that do not cause unwanted disconnectivity is easy. The problem is in the certainty... Sean.