Ralf: ISPs have a lot of routes to worry about. Specifically if their customer base is multi-homed with network blocks allocated by other ISPs. Even worse is if ISPs have customers who are also ISPs with even more downstream networks that need to be announced. Pretty soon it becomes a serious headache at trying to implement BCP38 at the ISP level and not ending up with half your customer base angry over why you aren't allowing x.x.x.x/24 to be announced from some legitimate entity 5 hops down the chain. And if RIR records haven't been properly updated with who owns what, the task is even more difficult.
The big problem with BCP38 is that it really needs to be phased in from the ground up at the smallest of network levels and not the top down from the ISP level. ISPs do wield the power to implement BCP38, but nobody would like the outcome if they did. Nor would they like the expense and headache of doing it. Granted, ISP networks they've allocated is pretty easy, but address space which didn't originate from an ISP's pool, becomes infinitely more of a headache. BCP38 implementation should begin on networks where a packet first originates. By the time packets reach the ISP, you are asking for the impossible. On Tue, Mar 18, 2014 at 6:21 AM, Ralf Hildebrandt < [email protected]> wrote: > > While this is indeed correct, the unfortunate state of affairs is that > > providers are placing the entire onus upon service operators to prevent > abuses > > and once the "fix" is in place, the status quo returns where BCP38 is > deemed > > "not needed after all" because responsive security (updating software, > > blocking ports) has been put in place. Many providers are uninterested in > > spending money and resources in implementing proactive security. > > I recently asked the local firewall and router admins if it was > actually "HARD" to implement. They all went "WTF, are you joking?". > > So I fail to see how ISPs and the like cannot simply "do the same" > > -- > Ralf Hildebrandt Charite Universitätsmedizin Berlin > [email protected] Campus Benjamin Franklin > http://www.charite.de Hindenburgdamm 30, 12203 Berlin > Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
