[162000] in North American Network Operators' Group
Re: BCP38 tester?
daemon@ATHENA.MIT.EDU (Jason Lixfeld)
Sun Mar 31 21:51:02 2013
From: Jason Lixfeld <jason@lixfeld.ca>
In-Reply-To: <CAM91edgocU_EGUx8V_viX7RbfBA9bWgGyeBC6e-PdrsN9bDLUA@mail.gmail.com>
Date: Sun, 31 Mar 2013 21:50:52 -0400
To: Peter Baldridge <petebaldridge@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-03-31, at 9:43 PM, Peter Baldridge <petebaldridge@gmail.com> =
wrote:
> I can assume that If you are spoofing packets, resetting passwords on =
cpe and replacing the box would be trivial. So it's questionable how =
useful this is. It seems like it just adds cost to for customers that =
can't spoof a packet to save their lives.
Maybe it's useful for the people who have no idea that their computers =
are infected by bots that spoof packets.
> On Mar 31, 2013 6:37 PM, "Jason Lixfeld" <jason@lixfeld.ca> wrote:
>=20
> On 2013-03-31, at 10:48 AM, Jay Ashworth <jra@baylink.com> wrote:
>=20
> > Is there a program which users can run on an end-site workstation =
which
> > would test whether they are being some link which is doing BCP38, or =
some
> > related type of source-address ingress filtering?
> >
> > I'm hoping for something that could be downloaded by users and run, =
and
> > try to forge a few packets to somewhere useful, which could be =
logged
> > somehow in conjunction with some unforged packets containing a =
traceroute,
> > so we could build up a database of leaky networks.
> >
> > On a related topic, while I know GRC Research's Steve Gibson is a =
bit of
> > a polarizing personality, he does have a fairly sizable consumer =
audience,
> > and might be a great distribution venue for such a thing.
> >
> > Or, perhaps, is there someone on here from Ookla?
> >
> > Patrick? Could Akamai be persuaded to take an interest in this as a
> > research project?
>=20
>=20
> =46rom my perspective, 99% of end-users probably don't understand (or =
care) that their provider might be responsible for initiating or =
precipitating a DDoS attacks, period. Most network operators are =
probably either too inexperienced to understand or too lazy to care.
>=20
> I believe that most everyone has a CPE of some sort, whether their =
service is resi or commercial. So, what about shifting the focus to the =
CPE manufacturers? They bend to technology and/or market pressures by =
bringing things like NAT, Firewalls, DLNA, UPnP, IPv6 (heh), PPPoE, =
RFC1483, etc. to their respective products in to satisfy technology =
limitations or security concerns or whatever. Why can't they help the =
cause by implementing some sort of RFC'ified BCP38 thing?
