Re: Request for comment -- BCP38

["Jay R. Ashworth" <jra () baylink com>]

----- Original Message -----
> From: "Laszlo Hanyecz" <laszlo () heliacal net>

> > If you have links from both ISP A and ISP B and decide to send traffic
> > out ISP A's link sourced from addresses ISP B allocated to you, ISP A
> > *should* drop that traffic on the floor.  There is no automated or
> > scalable way for ISP A to distinguish this "legitimate" use from
> > spoofing; unless you consider it scalable for ISP A to maintain
> > thousands if not more "exception" ACLs to uRPF and BCP38 egress
> > filters to cover all of the cases of customers X, Y, and Z sourcing
> > traffic into ISP A's network using IPs allocated to them by other ISPs?
>
> This is a legitimate and interesting use case that is broken by BCP38.
> The effectiveness of BCP38 at reducing abuse is dubious, but the
> benefits of asymmetric routing are well understood.  Why should everyone
> have to go out of their way to break this.. it works fine if you just
> don't mess with it.

Let me see if I have your argument straight:

In order to enable an "interesting" use case that is used by maybe well under 
1% of end nodes not in PI address space, we should decide *not* to do 
something which makes it much easier to protect attack targets against
well over 75% of incoming attacks of ridiculous (>OC-12) bandwidth?

Is that what you're advocating?

No.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274