Re: BCP38 - Internet Death Penalty

[Saku Ytti <saku () ytti fi>]

On (2013-03-27 11:05 -0500), Jack Bates wrote:

> I'm not arguing that the process can't be done. The problem is,
> there are a number of networks that don't know it needs to be done
> and why, or they don't know how to do it. There are a number of
> networks that have no concept of scripting changes into their
> routers.

Exactly. If we target BCP38 at last-mile we have 0 hope to achieve
sufficient coverage to make spoofing attacks less practical than HTTP GET
from unspoofed address.

I think we should educate tier2 operators who offer transit to tier3. It's
most practical place for BCP38. tier1<->tier2 can't do it, strict IRR
prefix-filtering is not practical. tier2<->tier3 can do it, it's practical
to do strict BGP prefix-filter.

If you are doing strict BGP prefix-filter, it's either very easy to
generate ACL while at it or 0 work in say JunOS, as you can just use same
prefix-list for firewall filter. 



Open recursors may have been discussion point pre-DNSSEC world, post DNSSEC
world it's easy enough to find large RRs from arbitrary authorative server,
that is, even if you'd close all open recursors problem would not go away.

-- 
  ++ytti