- Original Message -
> From: "Joe Klein"
> What would it take to test for BCP38 for a specific AS?
There's a tester tool, which I believe I put a link to on the wiki. One of
the Cali tech universities; Berkeley?
Cheers,
-- jra
--
Jay R. Ashworth Baylink
Even if the customers are unaware of the spoofed traffic, ISPs
should be aware which leaves them open for "aiding and abetting".
This doesn't require inspecting the payload of the packets. This
is the IP header which they are expected to examine and for which
there is a BCP saying to drop spoofed
Well there is money to be made in DDoS protection... See our
"friends" still hosting "those" pay sites.
Do not expect the vendors to cut themself of that market.
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770
In a message written on Tue, Sep 27, 2016 at 08:44:35PM +, White, Andrew
wrote:
> This assumes the ISP manages the customer's CPE or home router, which is
> often not the case. Adding such ACLs to the upstream device, operated by the
> ISP, is not always easy or feasible.
Unicast RFP should
Alain Hebert wrote:
> Do not forget the "NRA" ways.
I do not understand the "NRA" reference.
On Tue, 27 Sep 2016 20:44:35 -, "White, Andrew" said:
> This assumes the ISP manages the customer's CPE or home router, which is
> often not the case. Adding such ACLs to the upstream device, operated by the
> ISP, is not always easy or feasible.
Hopefully, if you've been burnt by this, you r
Dne 27.09.16 v 16:30 Mikael Abrahamsson napsal(a):
> The first page was completely devoid of any real technical information
> until I found the PDF (which from the color choice doesn't even look
> like a link). (https://www.nix.cz/cs/file/NIX_RULES_FENIX)
>
> It's still not obvious what the FENIX
Mike Hammett wrote:
> Is that common in CMTSes or just in certain ones?
it's a mandatory part of the docsis3 specification.
Nick
org
Sent: Wednesday, September 28, 2016 10:08:00 AM
Subject: Re: BCP38 adoption "incentives"?
At least as far as cable is concerned, there is already configuration on the
CMTS (e.g.
https://www.cisco.com/c/en/us/support/docs/broadband-cable/cable-security/20691-source-verify.html
) that
In article
you
write:
>What would it take to test for BCP38 for a specific AS?
Well, if a certain browser vendor let the browser deduce the
external IP address, then send out a UDP DNS PTR query for
.in-addr.browser-vendor.com to say, a large DNS
resolving cluster they also happen to be running
Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Andrew White"
> To: "Mike Hammett"
> Cc: nanog@nanog.org
> Sent: Tuesday, September 2
Do not forget the "NRA" ways.
Circular discussions every time an event arise, let it die out after
a few days, and hopefully, nothing change.
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield,
On Tue, 27 Sep 2016, White, Andrew wrote:
This assumes the ISP manages the customer's CPE or home router, which is
often not the case. Adding such ACLs to the upstream device, operated by
the ISP, is not always easy or feasible.
Which is why the manufacturer should deploy a default config whi
quot;
To: "Mike Hammett"
Cc: nanog@nanog.org
Sent: Tuesday, September 27, 2016 3:44:35 PM
Subject: RE: BCP38 adoption "incentives"?
Hi Mike,
This assumes the ISP manages the customer's CPE or home router, which is often
not the case. Adding such ACLs to the upstream d
org
Subject: Re: BCP38 adoption "incentives"?
It would be incredibly low impact to have the residential CPE block any source
address not assigned by the ISP. Done.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Ori
chell"
To: nanog@nanog.org
Sent: Tuesday, September 27, 2016 7:31:24 AM
Subject: BCP38 adoption "incentives"?
Does anyone know if any upstream and tiered internet providers include
in their connection contracts a mandatory requirement that all
directly-connected routers be in c
The knobs that are available to push adoption of any standard can include
"Doing nothing", "Educating the community", "Incentives", "Public
Shaming", "Loss of business", "Engaging the policy & legal wanks". It seems
to me the first two options have not moved the ball much.
Must we move the last f
On Tue, 27 Sep 2016, Mike Jones wrote:
Any network operator should know if their network is blocking it or not
without having to deploy active probes across their network.
Err... I was not referring to the operator doing this on the CPEs they
provide to their customers. I was referring to ent
On 27 September 2016 at 15:32, Mikael Abrahamsson wrote:
> On Tue, 27 Sep 2016, Joe Klein wrote:
>
>> What would it take to test for BCP38 for a specific AS?
>
>
> Well, you can get people to run
> https://www.caida.org/projects/spoofer/#software
>
> I tried to get OpenWrt to include similar softw
On Tue, 27 Sep 2016, Joe Klein wrote:
What would it take to test for BCP38 for a specific AS?
Well, you can get people to run
https://www.caida.org/projects/spoofer/#software
I tried to get OpenWrt to include similar software, on by default, but
some people are afraid that they might incur
On Tue, 27 Sep 2016, Zbyněk Pospíchal wrote:
Dne 27.09.16 v 15:17 Mikael Abrahamsson napsal(a):
Hm, so the IX operator looks at packets at the IX (sFlow perhaps), see
who is sending attack packets, and if they're spoofed, this ISP is then
put in "quarantine", ie their IX port is basically now
What would it take to test for BCP38 for a specific AS?
Joe Klein
"Inveniam viam aut faciam"
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
On Tue, Sep 27, 2016 at 8:31 AM, Stephen Satchell wrote:
> Does anyone know if any upstream and tiered internet providers include in
>
Dne 27.09.16 v 15:17 Mikael Abrahamsson napsal(a):
> Hm, so the IX operator looks at packets at the IX (sFlow perhaps), see
> who is sending attack packets, and if they're spoofed, this ISP is then
> put in "quarantine", ie their IX port is basically now useless.
Definitely not. Try to read first
On Tue, 27 Sep 2016, Zbyněk Pospíchal wrote:
The implementation of BCP38 over local market strongly increased after
massive DDoS attacks in 2013 affecting major part of the industry thanks
to an initiative of the most important local IXP.
Hm, so the IX operator looks at packets at the IX (sFl
The implementation of BCP38 over local market strongly increased after
massive DDoS attacks in 2013 affecting major part of the industry thanks
to an initiative of the most important local IXP.
There is a special separate last-resort "island mode" network, which is
intended to be activated in case
On Tue, 27 Sep 2016, Stephen Satchell wrote:
You have to make their ignorance SUBTRACT from the bottom line.
I'd say there is no way to actually achieve this. BCP38 non-compliance
doesn't hurt the one not in compliance in any significant amount, it hurts
everybody else.
The only way I can
Does anyone know if any upstream and tiered internet providers include
in their connection contracts a mandatory requirement that all
directly-connected routers be in compliance with BCP38?
Does anyone know if large ISPs like Comcast, Charter, or AT&T have put
in place internal policies requir
27 matches
Mail list logo
