On Fri, 25 Oct 2002, Paul Vixie wrote:
money. this whole thing is really about money. but "1" isn't getting done because the money that could be saved is by ISP "B" whereas the money which must be spent is by ISP "A". so, the nondeployment of BCP38 is all about money, too.
As the other Sean (Doran) likes to say, write a check. But that is too simplistic. It presumes only B saves money and only A spends money. On any particular day either A or B may be losing money due to attacks. I suspect on most days, both A and B are losing money. Money is probably 4 or 5 on the list of reasons why source address validation doesn't get implemented.
the thing i'm trying to work my way back to is that "2" and "3" can be argued to restrict desireable freedoms (like reaching SMTP or WWW servers without being forced to use a local proxies) whereas "1" has no arguments against it, or at least no arguers here on nanog today. why lump them all three together?
Source address validation, or more generally anti-spoofing filters, do not require providers maintain logs, perform content inspection or install firewalls. But source address validation won't stop attacks, viruses, child porn, terrorists, gambling, music sharing or any other evil that exists in the world. So the proposal "1" gets extended to include other stuff. It gives better ROI when more than SAV is included. "1" is install provider managed firewalls to perform a. validate source addresses b. perform virus checking c. maintain forensic logs d. other "policy enforcement" to be determined e. anything else someone can think of What worries me is "scope creep." All sorts of stuff is getting thrown into the security pot.