[194201] in North American Network Operators' Group
Re: BCP 38 coverage if top x providers ...
daemon@ATHENA.MIT.EDU (Laurent Dumont)
Fri Mar 24 15:04:48 2017
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Laurent Dumont <admin@coldnorthadmin.com>
Date: Fri, 24 Mar 2017 15:04:43 -0400
In-Reply-To: <87k27eaf21.fsf@mid.deneb.enyo.de>
Errors-To: nanog-bounces@nanog.org
Wouldn't you want BCP38 policies to be as close as possible to the
traffic sources? Instead of creating more "fake" traffic?
And at the same time, partial filtering doesn't seem as a very effective
way to fight spoofed traffic on a large scale.
On 03/24/2017 11:07 AM, Florian Weimer wrote:
> * Jared Mauch:
>
>>> On Nov 19, 2016, at 9:13 PM, Frank Bulk <frnkblk@iname.com> wrote:
>>>
>>> My google fu is failing me, but I believe there was a NANOG posting a year
>>> or two ago that mentioned that if the top x providers would
>>> implement BCP 38
>>> then y% of the traffic (or Internet) would be de-spoofed. The point was
>>> that we don't even need everyone to implement BCP 38, but if the largest
>>> (transit?) providers did it, then UDP reflection attacks could be
>>> minimized.
>>>
>>> If someone can recall the key words in that posting and dig it up, that
>>> would be much appreciated.
>> A double lookup of the packet is twice as expensive and perhaps
>> impractical in some (or many) cases.
> Do you actually have to filter all packets?
>
> Or could you just sample a subset and police the offenders, on the
> assumption that if you don't implement an anti-spoofing policy, you
> end up with near-constant leakage?
