[151680] in North American Network Operators' Group
RE: BCP38 Deployment
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Mar 28 14:32:11 2012
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Bingyang LIU' <bjornliu@gmail.com>, Darius Jahandarie
<djahandarie@gmail.com>
Date: Wed, 28 Mar 2012 14:31:07 -0400
In-Reply-To: <CAPLDopKR7FXtmyvcjQhLr-KqiN48ixLsyAMrh6JtRv99V9yDVw@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Also,
Don't forget that transit providers currently bill their customers to carry=
that spoofed/DoS traffic, why would they filter it when it's $$$$ on their=
balance sheets?
-Drew
-----Original Message-----
From: Bingyang LIU [mailto:bjornliu@gmail.com]=20
Sent: Wednesday, March 28, 2012 1:15 PM
To: Darius Jahandarie
Cc: NANOG list
Subject: Re: BCP38 Deployment
Hi Darius,
Yes, I agree that feasible RPF solves the problem in a lot of scenarios.
However, in some other cases, the asymmetric routing is caused by static ro=
uting, traffic engineering, policy routing, etc., where the lengths of forw=
ard path and reverse path may differ, so feasible RPF may also fail (false =
positive).
Bingyang
On Wed, Mar 28, 2012 at 7:07 PM, Darius Jahandarie <djahandarie@gmail.com> =
wrote:
> On Wed, Mar 28, 2012 at 12:50, David Conrad <drc@virtualized.org> wrote:
>> I would be surprised if this were true.
>>
>> I'd argue that today, the vast majority of devices on the Internet (and =
certainly the ones that are used in massive D(D)oS attacks) are found hangi=
ng off singly-homed networks.
>
> Yes, but RPF can be implemented in places other than the customer=20
> edge. In those places, lack of widespread, easy, and vendor-supported=20
> feasible-path uRPF is what I believe really hurts things.
>
> Granted, this is along a different line than what the OP was talking=20
> about, but in terms of answering the question of "why don't we see=20
> ingress filtering as much as we should?", I think it's a large factor.
>
> --
> Darius Jahandarie
>
--
Bingyang Liu
Network Architecture Lab, Network Center,Tsinghua Univ.
Beijing, China
Home Page: http://netarchlab.tsinghua.edu.cn/~liuby
