Re: BCP38 making it work, solving problems

[Fred Baker <fred () cisco com>]

At 01:11 PM 10/19/04 +0200, JP Velders wrote:
> As it was "in the old days": first clean up your own act and then start 
> pointing at others that they're doing "it" wrong.

hear hear... But Paul knows and in fact does that. He is pointing out the 
difficulty of getting people to do basic things that are for their own 
benefit.

For example, how many ISPs use TCP MD5 to limit the possibility of a 
BGP/TCP connection getting hijacked or disrupted by a ddos attack? But this 
has been in the code since ~1990, and was put there because of a fairly 
serious and specific attack that was made on Internet routing, and benefits 
primarily the ISP that enables the procedure in that it knows that its 
routes are coming to it from systems it has chosen to trust.

Ingress filters help the ISP that installs them, in that a certain class of 
attacks are prevented among customers of the ISP. Would it be better if all 
ISPs and all edge networks put appropriate filters in place? Absolutely. 
But even if they do not, the ISP saves itself that much trouble.

Where ingress filters don't help, of course, is when the attacks come from 
an apparently-legitimate address. Then we are off to other tools.