I reviewd the draft version 02 and I approve moving it forward to a BCP RFC.
However, if there's a version 03 in preparation, I think it should show more clearly the recommendation of turning off recursion for or restricting it to a "trusted" audience, as mentioned by Olafur. Moreover and FWIW, even if BCP 38 wide deployment could be the best solution, I believe that "education" on anti-spoofing measures should be widened/extended to reach the whole community of Network administrators (and not only those working for ISPs). Would it possible for example to recommend complementing ingress filtering on the ISP side by "egress filtering" on the customer's side? That consists on the customer's side in filtering out all traffic not originated from IP addresses belonging to the customer, stopping consequently at an earlier stage spoofed traffic (in case the attacker has not privileged access on the site's edge router/firewall :-) By the way, early egress filtering may be viewed at least as an anti-spoofing enforcement and may be even more useful in case the ISP doesn't (properly) apply ingress filtering. Mohsen. On 08 Nov, Peter Koch wrote: | Dear WG, | | just as a reminder, we have a working group last call open for | | > "Preventing Use of Recursive Nameservers in Reflector Attacks" | > draft-ietf-dnsop-reflectors-are-evil-02.txt | > | > to be published as a BCP. The WGLC will end Sat, 2006-11-11 23:59 UTC. | > | > Please review and comment on this draft on this mailing list. The chairs | > will not forward the document to the AD unless at least five reviewers | > have indicated their support (for both the draft and the intended status). | > Vendors' indication to follow (or not) the recommendation would be appreciated. | | -Peter | . | dnsop resources:_____________________________________________________ | web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html | mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
