-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2/4/2014 2:18 PM, John Levine wrote:
>>>> If just three of the transit-free networks rewrote their >>>> peering contracts such that there was a $10k per day penalty >>>> for sending packets with source addresses the peer should >>>> reasonably have known were forged, this problem would go away >>>> in a matter of weeks. >>> >>> Won't work because no one will sign that contract. > > Oh, right, how hard can it be to put a bell on that pesky cat? > > > I was at a conference with people from some Very Large ISPs. They > told me that many of their large customers absolutely will not let > them do BCP38 filtering. ("If you don't want our business, we can > find someone else who does.") The usual problem is that they have > PA space from two providers and for various reasons, not all of > which are stupid, traffic with provider A's addresses sometimes > goes out through provider B. Adding to the excitement, some of > these customers are medium sized ISPs with multihomed customers of > their own. > > I don't know BGP well enough to know if it's possible to send out > announcements for this situtation, this address range is us, but > don't route traffic to it. Even if it is, not all of the customers > do BGP, some are just stub networks. > > If we could figure out a reasonable way (i.e., one that the > customers might be willing to implement) to handle this, it'll make > BCP38 a lot more doable. > BCP84? :-) - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLxaWoACgkQKJasdVTchbIy9AD/eILZC1RBKpcnSGfYvmWhkmiF L1egq0XmR2EqlG9ta5ABALrHWUwaV0COd5I6Mz6vZL2Zoa2AkO1w7DC6hvcGAIkM =R7VB -----END PGP SIGNATURE-----