In a message written on Wed, Mar 28, 2012 at 12:44:04PM -0700, Michael Thomas wrote:
Except for the small problem that getting cheap home router box manufacturers to do just about anything is a pushing on string exercise. So if I want to a) protect my network and b) be a good netizen, I'm still going to want to do BCP 38 regardless of whether others violate a, b or both. Right?
BCP38 has nothing to do with a), doing it on your own network doesn't really protect you from much of anything of note. It's all about b), being a good citizen, and having a leg to stand on when you try to convince others to do the same which will help protect you. But the home router vendors aren't as hard to make move as you think. True, the chance of them moving in response to the fact that BCP38 exists, or that NANOG wants them to is zero. Nada, zilch. However, there are some powerful companies that buy a lot of boxes from these vendors. That free-to-the-subscriber box with a Comcast, Verizon, Cox, Cable Vision, AT&T, SBC, or other provider label on it is just a rebranded version of one of these devices. If the guy buying several million dollars worth of the boxes showed up and demanded this feature, it would be done. Once it's done for them, it's a free "feature" they can market in the boxes at best-buy to try and recover more of their development costs. So in that sense we need to pressure the ISP's to implement BCP38! Maybe I'm back to agreeing with the OP! However we need to pressure them not to turn on RPF on their routers (although that's a fine thing too, defense in depth and all, if they can they should), but to pressure the vendors they are buying from to do it. The standards bodies should also be pressured as well, to get it into the specifications. I think some engineers need to ask some interesting questions, like how, in a box doing NAT to an outside IP, does it ever emit a packet not from that outside IP? The fact that you can spoof packets through some of the NAT implementations out there is mind-blowing to me. I'm telling you, if the big 10 ISP's would just add one bullet point to their RFP's for equipment: * Any device performing an IP routing function must default to strict mode unicast RPF for all connected networks as specified in RFC 3704 Section 2.2 as a method of implementing BCP38. We'd be done with this issue and move on to other things. Sure, there would still be spoofed packets, and yes, other types of operators (like free public wifi and such) still need to do the right BCP38 filtering when configuring their systems...but just having this on all residential gear gets rid of well over 90% of the crud we're all trying to stop. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/