On Thu, Oct 26, 2006 at 06:03:54AM +0000, Fergie wrote:
Randy,
I don't think I implied anything of the sort.
I did, however, pipe up when a BCP is mentioned that I endorse, and co-authored -- and likewise, cannot figure out for life of me, why there is such push-back from the Ops community on doing The Right Thing.
The challenge is that the router vendors still haven't done "The Right Thing". I have one device that 1) halves its forwarding table space by enabling u-rpf 2) can only do either strict or loose mode rpf *GLOBALLY* so I can not strict rpf-check a static customer AND loose rpf someone larger for unrouted space. because of the above (#1 isn't that bad, but #2 is) I can't enable u-rpf on the device as a policy. Changing one interface from loose -> strict silently changes all other u-rpf interfaces and then customers gripe about dropped packets. obviously moving these checks closer to the edge is ideal, such as always doing rpf on the ethernet lan interface for your customer CPE.
Having said that, botnets don't need to spoof addresses -- the sheer dispersion of geographic and AS infection base renders the whole point of spoofing almost moot.
yup, it's an evolving threat, even if some solution to the botnet problem is discovered, it will take years to fix. Think of the smurf amplifiers that are still out there[1]. - jared 1 - http://www.powertech.no/smurf/ -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.