nanog mailing list archives

Re: BCP38 Deployment

From: Bingyang LIU <bjornliu () gmail com>
Date: Wed, 28 Mar 2012 18:10:12 +0200

Hi David, Leo, Patrick and all,

Considering the reasons you raised, do you think the following two things
can happen?

1. Give BCP38 the only practical anti-spoofing technique, can an ISP well
protect its customers by implementing BCP38? I don't think so, because I
think BCP38 is accurate near the source but inaccurate near the
destination, i.e. if its customer is the target of spoofing attack, its
capability to filter is relatively low.

2. Even if ineffective near the destination, is an ISP willing to deploy it
if it becomes easy to adopt and risk-free (no false positive)?

Sorry for my stupid and naive questions.

best
Bingyang

On Wed, Mar 28, 2012 at 5:45 PM, David Conrad <drc () virtualized org> wrote:

Leo,

On Mar 28, 2012, at 8:13 AM, Leo Bicknell wrote:

#1) Money.
#2) Laziness.

While Patrick is spot on, there is a third issue which is related
to money and laziness, but also has some unique aspects.

BCP38 makes the assumption that the ISP does some "configuration"
to insure only properly sourced packets enter the network.  That
may have been true when BCP38 was written, but no longer accurately
reflects how networks are built and operated.


An interesting assertion.  I haven't looked at how end-user networks are
built recently.  I had assumed there continue to be customer aggregation
points within ISP infrastructure in which BCP38-type filtering could occur.
 You're saying this is no longer the case?  What has replaced it?

BCP38 needs

to be applied at the OEM level in equipment maufacturing, not at
the operational level with ISP's.


I don't believe this is either/or.  I agree that BCP38 features should be
turned on by default in CPE, however I believe it really needs to be
enforced at the ISP level.

As long as folks keep beating on (consumer) ISPs to implement BCP38,

nothing will happen.


Optimist.

Actually, given the uptick in spoofing-based DoS attacks, the ease in
which such attacks can be generated, recent high profile targets of said
attacks, and the full-on money pumping freakout about anything with
"cyber-" tacked on the front, I suspect a likely outcome will be proposals
for legislation forcing ISPs to do something like BCP38.

Regards,
-drc



-- 
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby

Current thread:

BCP38 Deployment Bingyang LIU (Mar 28)
- Re: BCP38 Deployment Patrick W. Gilmore (Mar 28)
  - Re: BCP38 Deployment Leo Bicknell (Mar 28)
    - Re: BCP38 Deployment David Conrad (Mar 28)
    - Re: BCP38 Deployment Bingyang LIU (Mar 28)
    - Re: BCP38 Deployment Ray Soucy (Mar 28)
    - Re: BCP38 Deployment Joe Greco (Mar 28)
    - Re: BCP38 Deployment Leo Bicknell (Mar 28)
    - Re: BCP38 Deployment Darius Jahandarie (Mar 28)
    - Re: BCP38 Deployment David Conrad (Mar 28)
    - Re: BCP38 Deployment Darius Jahandarie (Mar 28)
    - Re: BCP38 Deployment Bingyang LIU (Mar 28)
    - RE: BCP38 Deployment Drew Weaver (Mar 28)
    - Re: BCP38 Deployment Michael Thomas (Mar 28)
    - Re: BCP38 Deployment Leo Bicknell (Mar 28)

(Thread continues...)