Re: BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
- Original Message - From: Roland Dobbins rdobb...@arbor.net On Feb 8, 2014, at 4:25 AM, Chris Grundemann cgrundem...@gmail.com wrote: Documenting those various mechanisms which are actually utilized is the key here. =) Yes, as well as the various limitations and caveats, like the wholesale/retail issue (i.e., customers of my customer). And anyone who has factual data on that topic is invited to contribute it to (stop me if you've heard this one)... http://www.bcp38.info Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
On Feb 5, 2014, at 2:12 AM, Jimmy Hess mysi...@gmail.com wrote: On Wed, 05 Feb 2014 12:18:54 +1100, Mark Andrews said: Now if we could get equipement vendors to stop shipping models without the necessary support it would help but that also may require government intervention. ... A good start would be to get BCP38 revised to router the Host requirements RFCs, to indicate that ingress filtering should be considered mandatory on site-facing interfaces. ... It's also true that if a sizable group of network operators were to actually deploy source address validation (thus proving that it really is a reasonable approach and doesn't carry too much operational or vendor implications), then it would be quite reasonable for those operators to bring the results to NANOG and get it recognized as a best current operating practice for networks of similar design/purpose. If the standards documents still just call it a best practice what hope is there of having governments require it of the service providers that their networks are connected to, anyways? There is a significant difference between a best current practice (BCP) document from the IETF (a technical standards body) versus one which actually reflects the well-considered best practices of a large network operator forum. The latter would be of some interest to governments (and groups of governments) when they ask for any options that might help with their growing spam and DDoS concerns... FYI, /John
Re: BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
On Feb 8, 2014, at 3:37 AM, John Curran jcur...@arin.net wrote: It's also true that if a sizable group of network operators were to actually deploy source address validation (thus proving that it really is a reasonable approach and doesn't carry too much operational or vendor implications), then it would be quite reasonable for those operators to bring the results to NANOG and get it recognized as a best current operating practice for networks of similar design/purpose. Many already do - including operators of very large networks. There are operational, vendor, and topological considerations which mean that it's achieved utilizing various mechanisms in different scenarios. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
On Fri, Feb 7, 2014 at 2:07 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Feb 8, 2014, at 3:37 AM, John Curran jcur...@arin.net wrote: It's also true that if a sizable group of network operators were to actually deploy source address validation (thus proving that it really is a reasonable approach and doesn't carry too much operational or vendor implications), then it would be quite reasonable for those operators to bring the results to NANOG and get it recognized as a best current operating practice for networks of similar design/purpose. Many already do - including operators of very large networks. There are operational, vendor, and topological considerations which mean that it's achieved utilizing various mechanisms in different scenarios. Documenting those various mechanisms which are actually utilized is the key here. =) $0.02 ~Chris -- @ChrisGrundemann http://chrisgrundemann.com
Re: BCP38 (was: Re: Why won't providers source-filter attacks? Simple.)
On Feb 8, 2014, at 4:25 AM, Chris Grundemann cgrundem...@gmail.com wrote: Documenting those various mechanisms which are actually utilized is the key here. =) Yes, as well as the various limitations and caveats, like the wholesale/retail issue (i.e., customers of my customer). --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
