Re: BCP38 adoption "incentives"?

[Joe Klein <jsklein () gmail com>]

What would it take to test for BCP38 for a specific AS?

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Tue, Sep 27, 2016 at 8:31 AM, Stephen Satchell <list () satchell net> wrote:

> Does anyone know if any upstream and tiered internet providers include in
> their connection contracts a mandatory requirement that all
> directly-connected routers be in compliance with BCP38?
>
> Does anyone know if large ISPs like Comcast, Charter, or AT&T have put in
> place internal policies requiring retail/business-customer-aggregating
> routers to be in compliance with BCP38?
>
> Does any ISP, providing business Internet connectivity along with a block
> of IP addresses, include language in their contracts that any directly
> connected router must be in compliance with BCP38?
>
> I've seen a lot of moaning and groaning about how BCP38 is pretty much
> being ignored.  Education is one way to help, but that doesn't hit anyone
> in the wallet.  You have to motivate people to go out of their way to
> *learn* about BCP38; most business people are too busy with things that
> make them money to be concerned with "Internet esoterica" that doesn't add
> to the bottom line.  You have to make their ignorance SUBTRACT from the
> bottom line.
>
> Contracts, properly enforced, can make a huge dent in the problem of BCP38
> adoption.  At a number of levels.
>
> Equipment manufacturers not usually involved in this sort of thing (home
> and SOHO market) would then have market incentive to provide equipment at
> the low end that would provide BCP38 support.  Especially equipment
> manufacturers that incorporate embedded Linux in their products.  They can
> be creative in how they implement their product; let creativity blossom.
>
> I know, I know, BCP38 was originally directed at Internet Service
> Providers at their edge to upstreams.  I'm thinking that BCP38 needs to be
> in place at any point -- every point? -- where you have a significant-sized
> collection of systems/devices aggregated to single upstream connections.
> Particular systems/devices where any source address can be generated and
> propagated -- including compromised desktop computers, compromised light
> bulbs, compromised wireless routers, compromised you-name-it.
>
> (That is one nice thing about NAT -- the bad guys can't build spoofed
> packets.  They *can* build, um, "other" packets...which is a different
> subject entirely.)
>
> (N.B.:  Now you know why I'm trying to get the simplest possible
> definition of BCP38 into words.  The RFCs don't contain "executive
> summaries".)