(Mobile device) On Mar 26, 2013, at 11:06 AM,Valdis.Kletnieks@vt.edu wrote:
On Tue, 26 Mar 2013 10:51:45 -0400, Jay Ashworth said:
Do we need to define a flag day, say one year hence, and start making the sales pitch to our Corporate Overlords that we need to apply the IDP to edge connections which cannot prove they've implemented BCP38 (or at very least, the source address spoofing provisions thereof)?
How would one prove this? (In particular, consider the test "have them download the spoofer code from SAIL and run it" - I'm positive there will be sites that will put in a /32 block for the test machine so it "fails" to spoof but leave it open for the rest of the net).
Well, I'm not sure this is what's being suggested by Jay, but many peering agreements/policies have something in them that say "prevent spoofing to best effort". Such statements could be strengthened in a global effort, and then spoofed source addresses could lead to depeering much faster/harder than what happens today. It would be reactionary rather than proactive, but still better than what we have now where spoofing is kind of like "it can't be helped". -- Darius Jahandarie