[161854] in North American Network Operators' Group
Re: BCP38 - Internet Death Penalty
daemon@ATHENA.MIT.EDU (Saku Ytti)
Wed Mar 27 15:18:34 2013
Date: Wed, 27 Mar 2013 21:18:19 +0200
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <515318B8.2060306@brightok.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On (2013-03-27 11:05 -0500), Jack Bates wrote:
> I'm not arguing that the process can't be done. The problem is,
> there are a number of networks that don't know it needs to be done
> and why, or they don't know how to do it. There are a number of
> networks that have no concept of scripting changes into their
> routers.
Exactly. If we target BCP38 at last-mile we have 0 hope to achieve
sufficient coverage to make spoofing attacks less practical than HTTP GET
from unspoofed address.
I think we should educate tier2 operators who offer transit to tier3. It's
most practical place for BCP38. tier1<->tier2 can't do it, strict IRR
prefix-filtering is not practical. tier2<->tier3 can do it, it's practical
to do strict BGP prefix-filter.
If you are doing strict BGP prefix-filter, it's either very easy to
generate ACL while at it or 0 work in say JunOS, as you can just use same
prefix-list for firewall filter.
Open recursors may have been discussion point pre-DNSSEC world, post DNSSEC
world it's easy enough to find large RRs from arbitrary authorative server,
that is, even if you'd close all open recursors problem would not go away.
--
++ytti
