BCP 38 coverage if top x providers ...
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized. If someone can recall the key words in that posting and dig it up, that would be much appreciated. Frank
Hi Frank, Applying BCP38 at those level is more risky because of the sheer volume of transit & prefixes. For years, people have been working hard pushing the responsibility of BCP38 to outside their sandbox. You may remember one of those instance. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 11/19/16 21:13, Frank Bulk wrote:
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that would be much appreciated.
Frank
On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that would be much appreciated.
If you assume 80% of traffic comes out of your local CDN node, that remaining 20% may not be too difficult for you to do something with. The problem appears because various engineering thresholds that existed in the 90s have been violated. 40(64) byte packet testing is no longer the norm by vendors. Those of us who carry a full table and are expected to provide all the features are the minority in purchasing equipment by volume and revenue so the push is harder. A double lookup of the packet is twice as expensive and perhaps impractical in some (or many) cases. - Jared
----- Original Message -----
From: "Jared Mauch" <jared@puck.nether.net> To: "Frank Bulk" <frnkblk@iname.com> Cc: nanog@nanog.org Sent: Tuesday, November 22, 2016 10:44:09 AM Subject: Re: BCP 38 coverage if top x providers ...
On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that would be much appreciated.
If you assume 80% of traffic comes out of your local CDN node, that remaining 20% may not be too difficult for you to do something with. The problem appears because various engineering thresholds that existed in the 90s have been violated.
40(64) byte packet testing is no longer the norm by vendors. Those of us who carry a full table and are expected to provide all the features are the minority in purchasing equipment by volume and revenue so the push is harder. A double lookup of the packet is twice as expensive and perhaps impractical in some (or many) cases.
It was me, Frank, as I said in an offlist email your mail server a) didn't like and b) took 4 days to complain about. :-) I believe I said "top 10" or "top 20" eyeball carriers, and I was shooting from the hip, based on my apprehension of the sizes there of. 80/20 rule, as Jared implies. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
* Jared Mauch:
On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that would be much appreciated.
A double lookup of the packet is twice as expensive and perhaps impractical in some (or many) cases.
Do you actually have to filter all packets? Or could you just sample a subset and police the offenders, on the assumption that if you don't implement an anti-spoofing policy, you end up with near-constant leakage?
Wouldn't you want BCP38 policies to be as close as possible to the traffic sources? Instead of creating more "fake" traffic? And at the same time, partial filtering doesn't seem as a very effective way to fight spoofed traffic on a large scale. On 03/24/2017 11:07 AM, Florian Weimer wrote:
* Jared Mauch:
On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
My google fu is failing me, but I believe there was a NANOG posting a year or two ago that mentioned that if the top x providers would implement BCP 38 then y% of the traffic (or Internet) would be de-spoofed. The point was that we don't even need everyone to implement BCP 38, but if the largest (transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that would be much appreciated. A double lookup of the packet is twice as expensive and perhaps impractical in some (or many) cases. Do you actually have to filter all packets?
Or could you just sample a subset and police the offenders, on the assumption that if you don't implement an anti-spoofing policy, you end up with near-constant leakage?
* Laurent Dumont:
Wouldn't you want BCP38 policies to be as close as possible to the traffic sources? Instead of creating more "fake" traffic?
Maybe as close as possible, but still without sacrificing source network attribution is sufficient.
And at the same time, partial filtering doesn't seem as a very effective way to fight spoofed traffic on a large scale.
That depends on the problems caused by spoofed traffic. My hunch is that non-policing networks emit a constant trickle of spoofed traffic which does not cause any problems, and that traffic can be used to detect lack of policing even without actual abuse of the spoofing capability.
participants (6)
-
Alain Hebert
-
Florian Weimer
-
Frank Bulk
-
Jared Mauch
-
Jay R. Ashworth
-
Laurent Dumont