-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2/4/2014 2:18 PM, John Levine wrote:
If just three of the transit-free networks rewrote their peering contracts such that there was a $10k per day penalty for sending packets with source addresses the peer should reasonably have known were forged, this problem would go away in a matter of weeks.
Won't work because no one will sign that contract.
Oh, right, how hard can it be to put a bell on that pesky cat?
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B. Adding to the excitement, some of these customers are medium sized ISPs with multihomed customers of their own.
I don't know BGP well enough to know if it's possible to send out announcements for this situtation, this address range is us, but don't route traffic to it. Even if it is, not all of the customers do BGP, some are just stub networks.
If we could figure out a reasonable way (i.e., one that the customers might be willing to implement) to handle this, it'll make BCP38 a lot more doable.
BCP84? :-) - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLxaWoACgkQKJasdVTchbIy9AD/eILZC1RBKpcnSGfYvmWhkmiF L1egq0XmR2EqlG9ta5ABALrHWUwaV0COd5I6Mz6vZL2Zoa2AkO1w7DC6hvcGAIkM =R7VB -----END PGP SIGNATURE-----