[191790] in North American Network Operators' Group
Re: BCP38 adoption "incentives"?
daemon@ATHENA.MIT.EDU (Joe Klein)
Tue Sep 27 09:56:07 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <95921eaf-e215-9454-046e-375a86f19c33@satchell.net>
From: Joe Klein <jsklein@gmail.com>
Date: Tue, 27 Sep 2016 09:52:38 -0400
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
What would it take to test for BCP38 for a specific AS?
Joe Klein
"Inveniam viam aut faciam"
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
On Tue, Sep 27, 2016 at 8:31 AM, Stephen Satchell <list@satchell.net> wrote:
> Does anyone know if any upstream and tiered internet providers include in
> their connection contracts a mandatory requirement that all
> directly-connected routers be in compliance with BCP38?
>
> Does anyone know if large ISPs like Comcast, Charter, or AT&T have put in
> place internal policies requiring retail/business-customer-aggregating
> routers to be in compliance with BCP38?
>
> Does any ISP, providing business Internet connectivity along with a block
> of IP addresses, include language in their contracts that any directly
> connected router must be in compliance with BCP38?
>
> I've seen a lot of moaning and groaning about how BCP38 is pretty much
> being ignored. Education is one way to help, but that doesn't hit anyone
> in the wallet. You have to motivate people to go out of their way to
> *learn* about BCP38; most business people are too busy with things that
> make them money to be concerned with "Internet esoterica" that doesn't add
> to the bottom line. You have to make their ignorance SUBTRACT from the
> bottom line.
>
> Contracts, properly enforced, can make a huge dent in the problem of BCP38
> adoption. At a number of levels.
>
> Equipment manufacturers not usually involved in this sort of thing (home
> and SOHO market) would then have market incentive to provide equipment at
> the low end that would provide BCP38 support. Especially equipment
> manufacturers that incorporate embedded Linux in their products. They can
> be creative in how they implement their product; let creativity blossom.
>
> I know, I know, BCP38 was originally directed at Internet Service
> Providers at their edge to upstreams. I'm thinking that BCP38 needs to be
> in place at any point -- every point? -- where you have a significant-sized
> collection of systems/devices aggregated to single upstream connections.
> Particular systems/devices where any source address can be generated and
> propagated -- including compromised desktop computers, compromised light
> bulbs, compromised wireless routers, compromised you-name-it.
>
> (That is one nice thing about NAT -- the bad guys can't build spoofed
> packets. They *can* build, um, "other" packets...which is a different
> subject entirely.)
>
> (N.B.: Now you know why I'm trying to get the simplest possible
> definition of BCP38 into words. The RFCs don't contain "executive
> summaries".)
>
