deprecating BCP38 and similar
I think I'll change my position on BCP38. It's pointless to try blocking spoofed source addresses because: * It doesn't solve every single problem * It means more effort for service providers * It requires more CPU processing power * Using it will generate smarter "black hats". I also think everyone should drop all forms of IP ACLs and password checking. Neither of those have solved every Internet problem, they require more effort and CPU, and smarter crackers have surfaced as a result of their deployment. These measures are ineffective, and it is silly to waste time with them. Anyone from Microsoft listening? I suggest you terminate your Trustworthy Computing Initiative. Not every problem is caused by a buffer overrun or race condition, and you're wasting billions of dollars. I suggest you post regularly to NANOG, helping educate the masses that anything less than a silver bullet is wasteful. Eddy, who hopes everyone recognizes hyperbole and sarcasm -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
with everything you should look at the effort, the returns and the risks. some simple things can have major benefits but we shouldnt waste effort on major changes that have little effect and that can be circumvented (i'm referring to the port 25 blocking discussion of course, wrt bcp38 i dont think anyone [with clue] thinks its not worthwhile) Steve On Mon, 11 Oct 2004, Edward B. Dreger wrote:
I think I'll change my position on BCP38. It's pointless to try blocking spoofed source addresses because:
* It doesn't solve every single problem * It means more effort for service providers * It requires more CPU processing power * Using it will generate smarter "black hats".
I also think everyone should drop all forms of IP ACLs and password checking. Neither of those have solved every Internet problem, they require more effort and CPU, and smarter crackers have surfaced as a result of their deployment. These measures are ineffective, and it is silly to waste time with them.
Anyone from Microsoft listening? I suggest you terminate your Trustworthy Computing Initiative. Not every problem is caused by a buffer overrun or race condition, and you're wasting billions of dollars. I suggest you post regularly to NANOG, helping educate the masses that anything less than a silver bullet is wasteful.
Eddy, who hopes everyone recognizes hyperbole and sarcasm -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
participants (2)
-
Edward B. Dreger
-
Stephen J. Wilcox