RE: BCP38 Deployment

[Drew Weaver <drew.weaver () thenap com>]

Also,

Don't forget that transit providers currently bill their customers to carry that spoofed/DoS traffic, why would they 
filter it when it's $$$$ on their balance sheets?

-Drew


-----Original Message-----
From: Bingyang LIU [mailto:bjornliu () gmail com] 
Sent: Wednesday, March 28, 2012 1:15 PM
To: Darius Jahandarie
Cc: NANOG list
Subject: Re: BCP38 Deployment

Hi Darius,

Yes, I agree that feasible RPF solves the problem in a lot of scenarios.

However, in some other cases, the asymmetric routing is caused by static routing, traffic engineering, policy routing, 
etc., where the lengths of forward path and reverse path may differ, so feasible RPF may also fail (false positive).

Bingyang

On Wed, Mar 28, 2012 at 7:07 PM, Darius Jahandarie <djahandarie () gmail com> wrote:
> On Wed, Mar 28, 2012 at 12:50, David Conrad <drc () virtualized org> wrote:
> > I would be surprised if this were true.
> >
> > I'd argue that today, the vast majority of devices on the Internet (and certainly the ones that are used in massive 
> > D(D)oS attacks) are found hanging off singly-homed networks.
>
> Yes, but RPF can be implemented in places other than the customer 
> edge. In those places, lack of widespread, easy, and vendor-supported 
> feasible-path uRPF is what I believe really hurts things.
>
> Granted, this is along a different line than what the OP was talking 
> about, but in terms of answering the question of "why don't we see 
> ingress filtering as much as we should?", I think it's a large factor.
>
> --
> Darius Jahandarie



--
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby