As one of the coauthors of RFC2827/BCP38: If anyone lauds BCP38 as the "Ultimate and Everlasting solution to Everything," then they need a reality check. :-)
Having said that, it doesn't make it's implementation any less of a "right thing" to do. And having said that, I think well-known hierarchical policy models provide hints at where these sorts of things (policies) should be implemented -- the closer to the edges of the network, the better, of course. Administrative boundaries (edge AS) would seem to be the most plausible place(s). BCP38 only addresses the core issue of ensuring that packets that claim to be from a prefix other than your own do not leave your network. - ferg -- Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: On Fri, Oct 27, 2006 at 09:03:47PM +0300, Pekka Savola <[EMAIL PROTECTED]> wrote a message of 19 lines which said: > While I agree that the text need not necessarily be so absolute, I > would not consider [such] ingress filtering proper or wide-scale > deployment. Better than nothing, to be sure, but not enough. May be but it does not seem that BCP 38, lauded as the Ultimate and Everlasting solution to Everything, strongly warns the ISP about that. It seems it contains no discussion or advice about the best place to put the antispoofing filters. (Some examples or sentences mention filters which are close to the customer, some do not.) [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
