Re: an effect of ignoring BCP38

[Valdis.Kletnieks () vt edu]

On Thu, 11 Sep 2008 00:28:25 PDT, Jo Rhett said:

> I've been in, near, or directly in touch with enough big provider NOCs  
> in the last year on various DoS attach research issues, and nearly  
> nobody... that's right NONE of them were using BCP38 consistently.   
> Name the five biggest providers you can think of.  They ain't doing  
> it.   Now name the five best transit providers you can think of.  They  
> ain't doing it either.  (note that all of these claimed to be doing so  
> in that survey, but during attack research they admitted that it was  
> only in small deployments)

Part of the problem is that if you're talking about the 5 biggest providers,
and the 5 biggest transit, you're talking about places with routing swamps
big enough, and with sufficient dragons in residence, that you really *can't*
do BCP38 in any sane manner.  AS1312 (us) is able to do very strict BCP38
on a per-port level on every router port, because we *know* what's supposed to
be on every subnet.  By the time you walk our list of upstreams to any of
the '5 biggest anything', you've gotten to places where our multihomed status
means you can't filter our source address very easily (or more properly, where
you can't filter multihomed sources in general).

> If someone told me (truthfully) that there was 10% BCP38 compliance  
> out there, I'd be surprised given what I have observed.

The MIT Spoofer project seems to indicate that closer to 50% *of the edge* is
doing sane filtering. And that's where you need to do it - *edge* not *core*.

Attachment: _bin
Description: