[151696] in North American Network Operators' Group
Re: BCP38 Deployment
daemon@ATHENA.MIT.EDU (David Conrad)
Wed Mar 28 17:49:38 2012
From: David Conrad <drc@virtualized.org>
In-Reply-To: <20120328190317.GA49400@ussenterprise.ufp.org>
Date: Wed, 28 Mar 2012 14:49:02 -0700
To: Leo Bicknell <bicknell@ufp.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 28, 2012, at 12:03 PM, Leo Bicknell wrote:
> Tier 1 T640 core network with 10GE handoff
> Regional Cisco GSR network with 1GE handoff
> Local 1006 to Arris CMTS
> Subscriber Motorola Cable Modem to NetGear SOHO Gateway
> User Patron with Airport Express sharing a wired connection to =
WiFi
> ...
> If you were going to write it into law/regulation, where would you =
require it?
Seems to me that from a legislator's perspective, there is a pretty =
bright (as in "moth attracted to flame") line between "subscriber" and =
"provider".
> Maybe all of them should, but can they from a technologial =
perspective?
Implementing telephone number portability was probably technologically =
more challenging for the telcos to deal with but that didn't stop the =
legislators from requiring it.
> I think given the thorny set of issues that taking a step back and
> saying, "rather than a perfect solution, what gets us most of the
> way there the cheapest, and quick" is a good question to ask.
You don't think that question has already been asked?
It has been a dozen years since BCP38 was published. Over that period, =
the Internet has grown immensely and with it, the threats the ability to =
trivially spoofing source addresses represents. As far as I can tell, =
there has been little to no improvement in mechanisms to reduce those =
threats, yet high profile attacks against governments, =
departments/ministries, commercial organizations, etc., have only =
increased. =20
I figure at some point (likely after a particularly high-profile =
attack), politicians and their corporate masters are going to feel the =
need to be seen to "do something about the problem." I have some =
skepticism that 'something' is going to be an ideal solution.
> The perfect is the enemy of the good in this case. Solving this at =
the
> consumer CPE level would remove 90-95% of the problem at zero hardware
> cost, a very small software cost, and a very small support cost and
> probably make us stop talking about this issue all together.
And the incentive for CPE manufacturers to invest in the small software =
cost is?
Regards,
-drc
