Re: BCP38 Deployment

["Patrick W. Gilmore" <patrick () ianai net>]

On Mar 28, 2012, at 10:44 , Bingyang LIU wrote:

> I'm Bingyang Liu, a ph.d student in Tsinghua University. My thesis topic is
> on "source address validation".
>
> Although BCP38 was proposed more than ten years ago, IP spoofing still
> remains an attack vector [MIT-Spoofer] [ARBOR-Annual-Report] [Presentation
> on NANOG Meeting] [Discussion in NANOG ML].
>
> I did a lot investigation, but still have no idea why so many ISPs haven't
> deploy BCP38. I enumerate three reasons I found, and I'd like your comments
> very much.
>
> 1. Stub ASes: They rely on their providers to filter, so they won't deploy
> BCP38 on their own.
> 2. Low tier transit ASes: They are most likely to deploy BCP38 on the
> interfaces towards their customers.
> 3. Large or tier1 ASes: Their peers and customers are also large. So uRPF
> may have false positive and ACLs are too large to manage.
>
> I also asked some ISP guys in IETF today, they all agreed that IP spoofing
> is an issue, but they may haven't deployed it. One key issue, I think, is
> about incentive. i.e. you can filter, but you'll still receive spoofing
> from providers and peers who haven't enforced BCP38.

While those reasons are somewhat valid, they are not the main reasons.

#1) Money.
Whenever someone asks "why...?", the answer is usually "money".  It costs money - CapEx if your equipment doesn't 
support RPF, and OpEx even if it does.  Plus opportunity cost if your customers don't like it or you screw up, as those 
customers will find someone who doesn't filter and move.

#2) Laziness.
When the question is "why have [you|they] not...?", the second most common answer is laziness.  Some call it "inertia", 
but reality is people are busy, lazy, etc.

Please note the complete lack of smilies or other indication I am kidding or being sarcastic.

There is also ignorance, stupidity, malice (yes, some people actually attack others or sell to those who do), etc.

-- 
TTFN,
patrick