[194199] in North American Network Operators' Group
Re: BCP 38 coverage if top x providers ...
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Mar 24 11:07:58 2017
X-Original-To: nanog@nanog.org
From: Florian Weimer <fw@deneb.enyo.de>
To: Jared Mauch <jared@puck.nether.net>
Date: Fri, 24 Mar 2017 16:07:50 +0100
In-Reply-To: <9EB78A78-CC71-4DBE-ABA6-4B05FB7E6496@puck.nether.net> (Jared
Mauch's message of "Tue, 22 Nov 2016 10:44:09 -0500")
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
* Jared Mauch:
>> On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
>>
>> My google fu is failing me, but I believe there was a NANOG posting a year
>> or two ago that mentioned that if the top x providers would
>> implement BCP 38
>> then y% of the traffic (or Internet) would be de-spoofed. The point was
>> that we don't even need everyone to implement BCP 38, but if the largest
>> (transit?) providers did it, then UDP reflection attacks could be
>> minimized.
>>
>> If someone can recall the key words in that posting and dig it up, that
>> would be much appreciated.
> A double lookup of the packet is twice as expensive and perhaps
> impractical in some (or many) cases.
Do you actually have to filter all packets?
Or could you just sample a subset and police the offenders, on the
assumption that if you don't implement an anti-spoofing policy, you
end up with near-constant leakage?
