[151649] in North American Network Operators' Group
Re: BCP38 Deployment
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Mar 28 11:14:39 2012
Date: Wed, 28 Mar 2012 08:13:35 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: NANOG list <nanog@nanog.org>
In-Reply-To: <E43C159D-0E3E-4452-B022-46A3B07179E1@ianai.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Mar 28, 2012 at 11:00:39AM -0400, Patrick W. G=
ilmore wrote:
> #1) Money.
> Whenever someone asks "why...?", the answer is usually "money". It costs=
money - CapEx if your equipment doesn't support RPF, and OpEx even if it d=
oes. Plus opportunity cost if your customers don't like it or you screw up=
, as those customers will find someone who doesn't filter and move.
>=20
> #2) Laziness.
> When the question is "why have [you|they] not...?", the second most commo=
n answer is laziness. Some call it "inertia", but reality is people are bu=
sy, lazy, etc.
While Patrick is spot on, there is a third issue which is related
to money and laziness, but also has some unique aspects.
BCP38 makes the assumption that the ISP does some "configuration"
to insure only properly sourced packets enter the network. That
may have been true when BCP38 was written, but no longer accurately
reflects how networks are built and operated.
To get source address validation widely deployed it needs to be
baked into consumer CPE. The requirement needs to be a "default
on" in the DOCSYS specs, for instance. Residential gateways need
to come from the factory with unicast RPF turned on. BCP38 needs
to be applied at the OEM level in equipment maufacturing, not at
the operational level with ISP's.
There are, simply, too many variations in CPE devices to expect
ISP's to _configure_ them. Even when the configuration is
"standardized" (like DOCSYS) ISP's have to think really hard about
the operational impact of turning on a feature; and one buggy
implementationc can scuttle an idea network wide.
Which really comes back to Patrick's point #2. If the people who
care about this want to see a positive change they need to stop
badgering ISP's to implement BCP38 and start badgering
Linksys/Netgear/D-Link/Motorola/Apple/Touchstone/SMC/Westtel to
make unicast RPF a default part of their gateway implementation.
More importantly, they need to get them to brand it as a _feature_,
protect your computer from being used by hackers, our router insures
they won't use up all of your data cap! Then it will be something they
can sell, and thus something they will implement.
As long as folks keep beating on (consumer) ISPs to implement BCP38,
nothing will happen.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT3Mqn7N3O8aJIdTMAQKIig//XBfLIXWsRZmO3XwO4BLiPSr1ESrggZpV
suLpeiYibShvqtlNrZYDSkDf3N1+Xlg8ez+5FdZEhk2DU9ArfAHseItJbJRK7wmT
eQNE5uo+jubBJQsdP6q13I+C0/i7PoLNRf3pmvJP7l0cp3tPtbqzLfIyJipXL96m
EanH9UyP3ewJVYG+DLE5+hC8Ta+QmIbiV9IQa7SreyreN1an7eVQtbPa5BZdpu4q
DVlE//ipxTsgESRM0YoIzoRX46SXyNLX4U47fVhO2VF6Ajg+Ik69UaxT9GTKUhtf
MEWAKIW5KiAOV8JUcJl6vLd/xOXiIjUGJ2cmQDMfvjNypPcK3+D1exRxKAeBCJX3
GWhOWbiorFP9sl87T3oqqnefZP/AHcSxg4T0mCii489V+8gY4+/OZILZcreJC+ZW
309aBSfmbDrpIBwBKWSdFbCeuskPnhQZ8wImnw+JHWMf/d5hH/8vqcAH5ysJXPjx
mvCV6MbLhsY+rMRz7MncYv4BGRWRsc5hJI7p9MKt/boK2NP+xgV7402n0JnvdMBx
YiREw3tjW81SX13GezNaWJ6NPqXgNckpkieYpwHfGZYtyxTVd+lz4cefsgm7HNhc
wetOknZX6xdax5kJCSn8Rye3gc1W1+yg73tqOgebS64Vh09B2Z4SZb8u6tvIAbmg
Ruji3eZzRZ8=
=oO3C
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie8A6--
