[191890] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Sun Oct 2 04:00:37 2016
X-Original-To: nanog@nanog.org
Date: Sun, 2 Oct 2016 01:25:31 +0000 (UTC)
From: "Jay R. Ashworth" <jra@baylink.com>
To: North American Network Operators' Group <nanog@nanog.org>
In-Reply-To: <e748bc70-f59e-320c-4bf8-f96d0c252591@heliacal.net>
Errors-To: nanog-bounces@nanog.org
----- Original Message -----
> From: "Laszlo Hanyecz" <laszlo@heliacal.net>
>> If you have links from both ISP A and ISP B and decide to send traffic
>> out ISP A's link sourced from addresses ISP B allocated to you, ISP A
>> *should* drop that traffic on the floor. There is no automated or
>> scalable way for ISP A to distinguish this "legitimate" use from
>> spoofing; unless you consider it scalable for ISP A to maintain
>> thousands if not more "exception" ACLs to uRPF and BCP38 egress
>> filters to cover all of the cases of customers X, Y, and Z sourcing
>> traffic into ISP A's network using IPs allocated to them by other ISPs?
>
> This is a legitimate and interesting use case that is broken by BCP38.
> The effectiveness of BCP38 at reducing abuse is dubious, but the
> benefits of asymmetric routing are well understood. Why should everyone
> have to go out of their way to break this.. it works fine if you just
> don't mess with it.
Let me see if I have your argument straight:
In order to enable an "interesting" use case that is used by maybe well under
1% of end nodes not in PI address space, we should decide *not* to do
something which makes it much easier to protect attack targets against
well over 75% of incoming attacks of ridiculous (>OC-12) bandwidth?
Is that what you're advocating?
No.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
