Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
This would appear, on its face, to be an easy exercise in educating the IPSs in the foodchain. Is there reasonable enough interest with NANOG to do that? If so, I volunteer to workshop at the next NANOG. But only if there is reasonable consensus to that effect. Or someone else could do it, too. :-) The point I'm trying to make is that if the community thinks it is valuable, then the path is clear. If not, then... - ferg -- Sean Donelan <sean@donelan.com> wrote: The only data I have is from the MIT anti-spoofing test project which has been pretty consistent for a long time. About 75%-80% of the nets, addressses, ASNs tests couldn't spoof, and about 20%-25% could. The geo-location maps don't show much difference between parts of the world. RIPE countries don't seem to be better or worse than ARIN countries or APNIC countries or so on. ISPs on every continent seem to be about the same. http://spoofer.csail.mit.edu/summary.php If someone finds the silver bullet that will change the remaining 25% or so of networks, I think ISPs on every continent would be interested. On Thu, 26 Oct 2006, Fergie wrote:
No.
I think that is indicative of the problem.
Don't you?
-- Sean Donelan <sean@donelan.com> wrote: On Thu, 26 Oct 2006, Fergie wrote:
I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38.
It is nothing less than irresponsible, IMO...
Why _is_ that?
Do you have any data concerning the actual consistent deployment of BCP38++ in different parts of the world?
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Thu, 26 Oct 2006, Fergie wrote:
The point I'm trying to make is that if the community thinks it is valuable, then the path is clear.
What is the biggest problem to solve? Would it be enough for ISPs to make sure that they will not send out packets which didn't belong within their PA blocks, or is it that one user shouldn't be able to spoof at all (even IPs adjacant to their own)? Would the global problem go away if global spoofing stopped working? I of course realise that it's best if user cannot spoof at all, but it might be easier for ISPs to filter based on their PA blocks than to (in some cases) purchase new equipment to replace their current equipment that cannot do IP spoof filtering. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Thu, 26 Oct 2006, Mikael Abrahamsson wrote:
On Thu, 26 Oct 2006, Fergie wrote:
The point I'm trying to make is that if the community thinks it is valuable, then the path is clear.
I of course realise that it's best if user cannot spoof at all, but it might be easier for ISPs to filter based on their PA blocks than to (in
do your customers: 1) not bring their own ip space? 2) always advertise to you their ip space?
participants (3)
-
Chris L. Morrow
-
Fergie
-
Mikael Abrahamsson