On 3/26/13, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Mar 26, 2013, at 9:51 PM, Jay Ashworth wrote:
Perhaps you should reframe your strategy as "security problem", and show how providers have implemented BCP38, how it is such a common practice, that not implementing BCP38 may fall short of the minimum standard of due care required to avoid liability, in case your network is abused to launch an attack.. Incurs possible legal risks that should be reviewd by lawyers, due to possible liability in facilitating a DoS attack. That may be better at persuading your CEOs of large SPs than "It's just good engineering"; it's not that following BCP38 is just excellent practice. It's also that ignoring BCP38 in some circumstances might be extremely poor, even negligent practice. Possibly Develop an industry certification/accreditation based on network engineering practices, and make it potentially so that service providers want to carry it. Then their marketing people can display their "See our network is more secure and reliable" logo on the website, and pressure other networks to seek 3rd party qualification; include BCP38 as one of several criteria, "designed to help reduce the degree of malicious activity, unmitigated DoS incidents, instability, or poor/inconsistent user experience". If enough networks carry some sort of mark of quality, then maybe it becomes meaningful as a tool persuasion: there may be a smaller quantity of demand for the purchase of services from networks that don't carry it, unless they compensate by lowering their price. While you're at it, include as recommended practices, and provide multiple levels of "Verified good network neighbor" status: o 3rd party audited practices with regards to responsiveness and cooperation by contacts to address abuse and connectivity issues. o Requirement the network have a policy of assisting with the mitigation of attack traversing any peers or customers, through required extensive network information sharing. o Truthful representation of service in all marketing materials. o No "banned" internet protocols or ports, (e.g. "Our network doesn't allow SSH protocol"); no NAT'ing by the SP. o A no-spamming policy, a no-repeated-failed-login policy, a no port scanning policy, a no DoS policy that includes requirement the SP investigate spam or other complaints and take sufficient actions to disable offending hosts or networks, or ensure further spam is blocked.. o Appropriate filtering of incoming bgp announcements. o Accurate WHOIS information, listing the actual contact, no 3rd party or intermediary for number resources, domains, etc. o Easily accessible and responsive technical and abuse contacts for all services. o Not subverting or altering DNS query responses, or other packets, as they cross the network; for example, not offering name lookup servers that claim to provide DNS service, but covertly rewrite or capture NXDOMAIN or other responses, sending an altered response instead.
Do the engineering heads at the top 10 tier-1/2 carriers carry enough water to make that sale to the CEOs?
Unfortunately, no - else it would've come to pass quite some time ago. -- -JH