[107614] in North American Network Operators' Group
Re: an effect of ignoring BCP38
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Sep 8 11:48:03 2008
To: k claffy <kc@caida.org>
In-Reply-To: Your message of "Sat, 06 Sep 2008 06:49:05 PDT."
<20080906134905.GA75970@rommie.caida.org>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 08 Sep 2008 11:47:53 -0400
Cc: bmanning@vacation.karoshi.com, nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1220888873_3062P
Content-Type: text/plain; charset=us-ascii
On Sat, 06 Sep 2008 06:49:05 PDT, k claffy said:
>
> do that many networks really allow spoofing? i used
> to think so, based on hearsay, but rob beverly's
> http://spoofer.csail.mit.edu/summary.php suggests
> things are a lot better than they used to be, arbor's
> last survey echos same. are rob's numbers inconsistent
> with numbers anyone else believes to be true?
You can easily have a network configuration where 95% of the networks
do very stringent BCP38 on their customer-facing connections, but the
spoofing sources are carefully chosen to be within the 5% of places that
aren't filtering...
Plus, there's nothing that says that a network can't do BCP38 on 99.998%
of its ports, but has a punchout for the 3 or 4 ports that need it for
network monitoring/research. So a network could be reported as "non-spoofable"
to the MIT project, *and* still provide a sensor machine for the reverse
path project...
--==_Exmh_1220888873_3062P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFIxUkpcC3lWbTT17ARAskEAKD3BEGwa2zaNvy3XYA9PCU6EkohAwCfXDJi
xU/0+0n8mJZr+G5z1li3Z8k=
=dodl
-----END PGP SIGNATURE-----
--==_Exmh_1220888873_3062P--
